SlideShare a Scribd company logo

DevSecOps

Tomas Honzak
Tomas Honzak

How to build security into the DevOps environment. Introduction to DevSecOps for DevOps / Agile enthusiasts and practitioners. Presented on Czech DevOps meet-up.

Technology
1 of 83
Download to read offline
DEVSECOPS TOMAS HONZAK, CISM CHIEF INFORMATION SECURITY OFFICER GOODDATA CORPORATION 1
TOMAS HONZAK / DEVSECOPS IMAGINE YOU HAVE A NICE AGILE COMPANY … 2
TOMAS HONZAK / DEVSECOPS IMAGINE YOU HAVE A NICE AGILE COMPANY … 2
TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS WHAT SHALL YOU DO? 5
TOMAS HONZAK / DEVSECOPS WHAT SHALL YOU DO? “PANIC?” 5
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval Documented 
 Meeting
 Minutes 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval Documented 
 Meeting
 Minutes Project 
 Manager 7
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES 10
TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations 10
TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations ▸ Automate your critical processes ▸ Automation helps prevent errors and omissions and provides reliable assurance both for you and your auditors 10
TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations ▸ Automate your critical processes ▸ Automation helps prevent errors and omissions and provides reliable assurance both for you and your auditors ▸ Empower your teams ▸ Like all things Agile, the teams must know what they are doing 10
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE BURP SUITE OWASP ZAP SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE BURP SUITE OWASP ZAP SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST SECURE AND AUTOMATED 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST SECURE AND AUTOMATED LOGGED ALERTED REVIEWED 11
TOMAS HONZAK / DEVSECOPS DEVSEC SUMMARY ▸ Move security as much to the left as possible ▸ Enhance your CI/CD pipeline with security testing tools ▸ Static Code Analysis (SonarQube) ▸ Lightweight penetration testing (Burp / OWASP ZAP) ▸ Enforce change control, approvals and SoD by gating (Zuul) ▸ “JIRA ticket = approval, peer review = SoD” ▸ Secure the environment and log everything ▸ (traceability and accountability) 12
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 APPLICATION
 LOGS
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 APPLICATION
 LOGS
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS REVIEWED AND RESOLVED
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS REVIEWED AND RESOLVED ESCALATED
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS FEEDBACK REVIEWED AND RESOLVED ESCALATED
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS FEEDBACK REVIEWED AND RESOLVED ESCALATED
TOMAS HONZAK / DEVSECOPS SECOPS SUMMARY ▸ Security Built-in on all levels ▸ Not only “DevSec”, but also non-functional requirement — secrets management, logging, encryption, … ▸ Images / Containers / Infrastructure / Network Hardening ▸ No unnecessary SW, no default passwords, firewalls in deny-all mode, monitored bastion hosts in DMZ with session logging and strong authentication/authorization … ▸ Configuration management, automated compliance ▸ Orchestrated CM, anything-as-a-code (including fw rules, access control etc.), code reviews + alerts ▸ Automated threat intelligence, scans, detection, alerting and response ▸ Vulnerability scans, HIDS/NIDS, log monitoring and analysis, SIEM, … ▸ Combination of Operations and Security in the same on-call team ▸ Not everyone can be top-class security expert — keep these in a virtual CSIRT, not in Ops 14
TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15
TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15
TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15 SECURE 
 BY
 (DESIGN)
 DEVSECOPS
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops ▸ Faster recovery thanks to automation and *-as-a-code 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops ▸ Faster recovery thanks to automation and *-as-a-code ▸ Cultural change, better communication and straightforward feedback 16
THANKS FOR YOUR ATTENTION!
 ANY QUESTIONS? Tomas Honzak tomas@honzak.cz

Recommended

Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 

Recommended

Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
Stefan Streichsbier
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
idsecconf
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
Michael Man
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevOps Maturity Curve v5
DevOps Maturity Curve v5DevOps Maturity Curve v5
DevOps Maturity Curve v5
Paul Peissner
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
Opsta
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 

More Related Content

What's hot

[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
Stefan Streichsbier
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
idsecconf
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
Michael Man
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevOps Maturity Curve v5
DevOps Maturity Curve v5DevOps Maturity Curve v5
DevOps Maturity Curve v5
Paul Peissner
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
Opsta
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 

What's hot (20)

[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
DevOps Maturity Curve v5
DevOps Maturity Curve v5DevOps Maturity Curve v5
DevOps Maturity Curve v5
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 

Recently uploaded

Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 

Recently uploaded (20)

Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 

DevSecOps

  • 1. DEVSECOPS TOMAS HONZAK, CISM CHIEF INFORMATION SECURITY OFFICER GOODDATA CORPORATION 1
  • 2. TOMAS HONZAK / DEVSECOPS IMAGINE YOU HAVE A NICE AGILE COMPANY … 2
  • 3. TOMAS HONZAK / DEVSECOPS IMAGINE YOU HAVE A NICE AGILE COMPANY … 2
  • 4. TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
  • 5. TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
  • 6. TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
  • 7. TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
  • 8. TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
  • 9. TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
  • 10. TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
  • 11. TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
  • 12. TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
  • 13. TOMAS HONZAK / DEVSECOPS WHAT SHALL YOU DO? 5
  • 14. TOMAS HONZAK / DEVSECOPS WHAT SHALL YOU DO? “PANIC?” 5
  • 15. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 16. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 17. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 18. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 19. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 20. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 21. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 22. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 23. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 24. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 25. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 26. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 27. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 28. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? 7
  • 29. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? 7
  • 30. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan 7
  • 31. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval 7
  • 32. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval 7
  • 33. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval Documented 
 Meeting
 Minutes 7
  • 34. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval Documented 
 Meeting
 Minutes Project 
 Manager 7
  • 35. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … 8
  • 36. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … 8
  • 37. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis 8
  • 38. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis 8
  • 39. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
  • 40. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
  • 41. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
  • 42. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
  • 43. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
  • 44. TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
  • 45. TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
  • 46. TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
  • 47. TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
  • 48. TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES 10
  • 49. TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations 10
  • 50. TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations ▸ Automate your critical processes ▸ Automation helps prevent errors and omissions and provides reliable assurance both for you and your auditors 10
  • 51. TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations ▸ Automate your critical processes ▸ Automation helps prevent errors and omissions and provides reliable assurance both for you and your auditors ▸ Empower your teams ▸ Like all things Agile, the teams must know what they are doing 10
  • 52. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC 11
  • 53. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE 11
  • 54. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” 11
  • 55. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SAST 11
  • 56. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE SAST 11
  • 57. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE BURP SUITE OWASP ZAP SAST 11
  • 58. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE BURP SUITE OWASP ZAP SAST 11
  • 59. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST 11
  • 60. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST SECURE AND AUTOMATED 11
  • 61. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST SECURE AND AUTOMATED LOGGED ALERTED REVIEWED 11
  • 62. TOMAS HONZAK / DEVSECOPS DEVSEC SUMMARY ▸ Move security as much to the left as possible ▸ Enhance your CI/CD pipeline with security testing tools ▸ Static Code Analysis (SonarQube) ▸ Lightweight penetration testing (Burp / OWASP ZAP) ▸ Enforce change control, approvals and SoD by gating (Zuul) ▸ “JIRA ticket = approval, peer review = SoD” ▸ Secure the environment and log everything ▸ (traceability and accountability) 12
  • 63. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
  • 64. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
  • 65. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
  • 66. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 APPLICATION
 LOGS
  • 67. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 APPLICATION
 LOGS
  • 68. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS
  • 69. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS REVIEWED AND RESOLVED
  • 70. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS REVIEWED AND RESOLVED ESCALATED
  • 71. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS FEEDBACK REVIEWED AND RESOLVED ESCALATED
  • 72. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS FEEDBACK REVIEWED AND RESOLVED ESCALATED
  • 73. TOMAS HONZAK / DEVSECOPS SECOPS SUMMARY ▸ Security Built-in on all levels ▸ Not only “DevSec”, but also non-functional requirement — secrets management, logging, encryption, … ▸ Images / Containers / Infrastructure / Network Hardening ▸ No unnecessary SW, no default passwords, firewalls in deny-all mode, monitored bastion hosts in DMZ with session logging and strong authentication/authorization … ▸ Configuration management, automated compliance ▸ Orchestrated CM, anything-as-a-code (including fw rules, access control etc.), code reviews + alerts ▸ Automated threat intelligence, scans, detection, alerting and response ▸ Vulnerability scans, HIDS/NIDS, log monitoring and analysis, SIEM, … ▸ Combination of Operations and Security in the same on-call team ▸ Not everyone can be top-class security expert — keep these in a virtual CSIRT, not in Ops 14
  • 74. TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15
  • 75. TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15
  • 76. TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15 SECURE 
 BY
 (DESIGN)
 DEVSECOPS
  • 77. TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? 16
  • 78. TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: 16
  • 79. TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities 16
  • 80. TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops 16
  • 81. TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops ▸ Faster recovery thanks to automation and *-as-a-code 16
  • 82. TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops ▸ Faster recovery thanks to automation and *-as-a-code ▸ Cultural change, better communication and straightforward feedback 16
  • 83. THANKS FOR YOUR ATTENTION!
 ANY QUESTIONS? Tomas Honzak tomas@honzak.cz