The document discusses the integration of security into DevOps practices, highlighting the concept of DevSecOps, which ensures the secure movement of products between secure environments. It outlines various testing methods, tools for secrets management, and vulnerability scanning, emphasizing the importance of automation in both build and security processes. The author encourages the adoption of modern practices like GitOps and the use of containers for effective application delivery.

1. DevSecOps and Drupal:
Securing Your Applications in
a Modern IT Landscape

2. I am Will Hall
My role is Digital Architect which means I have
all video conferencing applications installed.
I support code projects in Drupal (PHP),
Python, Ruby, JavaScript; using Docker,
Ansible, GitLab, GitLab CI and Bash… I don’t
understand it all.
You can find me at @hn_will
Hello!

3. Imposters and security...
Personal
Vulnerabilities

4. The History of
Musical Notation
La, la, la, la, la.
We’ll get to why this is relevant soon.
1

5. “
Music is oral history. However, in
its history it was unable to be
communicated easily across time
& space.

6. Compressed history of musical notation
◉ Boethius (480-525 AD) - Letter associated with notes
◉ Gregory the Great (600 AD) - First seven letters, Uppercase
and Lowercase. Also introduced lines (similar to stave) with
words moving up and down.
◉ Franco of Cologne (1200 AD) Symbols for length of notes.

7. Standards take
time, effort, evolution

8. DevOps is filled with incomplete
standards
We have so much to compete with
when joining code to infrastructure.
So many additional variables.

9. What is DevSecOps?
Because everyone needs a buzzword
2

10. Development Team
Favourite phrase:
Works On My Machine
DevOps
Operations Team
Favourite phrase:
Server is up, must be
application errors.

11. Security Team
Favourite Phrase:
No

12. DevOps
OperationsDevelopment DevOps

13. DevOps is fixated on the successful
movement of products
between environments

14. DevSecOps
Operations
Development Security
DevSecOps

15. DevSecOps is fixated on the secure,
successful movement of secure products
between secure environments

16. DevOps is moving
products
Is that an oversimplification?
3

17. DevOps delusion
first lastsecond
Our process is easy...

18. €89,526,124
That’s a lot of money
100%
Total success!
185,244 users
And a lot of users

19. Global
our
office

20. The internet is held together by string, glue
and uncommented code.

21. Testing
Automation
Doing the same things over and over again
4

22. Let’s review some testing
concepts
Static Analysis Testing
Checking the code against
standards. What is acceptable,
what is not.
Build Testing
Does the application build with
its dependencies?
Smoke Testing
Is it broken now?
Unit Testing
Testing the functionality of
code. Inputs and outputs.
Functional Testing
Testing functions/features
inside the application.
Security Testing
Testing elements of security.

23. You don’t need to be a plumber to like
pipelines.

24. Pipelines
Code Static
Analysis
Unit
Test
Build
Test
Functional
Test
Smoke
Test
Local testing?

25. Where is security testing
inside your pipelines?
🤷

26. Security you can automate
◉ Secrets Management (secure your pipeline)
◉ Dependency/Vulnerabilty Scanning
◉ Vulnerability Attacks
◉ Load Testing/DDoS Simulations

27. Let’s get real.
◉ Everything should be in a container.
◉ Containers should have the minimum required.
◉ We should process jobs in parallel.

28. Let’s demo this…Or in practice, use my pre-completed examples
😲

29. We probably already know what our
greatest weakness is...

30. Testing Tools
Because choosing things is hard
5

31. Secrets Management
◉ How do you achieve minimum required access?
◉ Where do you inject secrets?
◉ How do you control access?
◉ Tools:
○ Hashicorp Vault
○ Docker Secrets
○ Keybase

32. Vulnerability Databases
◉ When standing on the “shoulders of giants”, we can see
further, but we also don’t know all of our dependencies
◉ CVE - https://www.cvedetails.com/
◉ Nist - https://nvd.nist.gov/
◉ Tools:
○ Clair - coreos/clair - Docker layer security
○ Snyk - Application Level
○ Retire.js
○ drupal.org

33. Vulnerability Attacks
◉ Attack your known weaknesses
◉ Bad users
◉ Tools:
○ Kali Linux 😈
○ Fuzzing, brute force, module enumeration, Metasploit,
Burp Portswigger...

34. Security Auditing
◉ DevSecOps does not replace Security Audits, it augments
the pipeline to allow greater focus.

35. What you need to
do now
Actionable items for you
6

36. Automate your build
◉ If you are building manually, stop. Automate.
◉ If you already use Jenkins, that is fine, if not, don’t start on it.
◉ GitOps - This should be your new search topic...
◉ Or:
○ GitLab CI
○ Drone.io
○ CircleCI

37. Clusters/Orchestrations
◉ Clusters and orchestration of containers are the future of
application delivery.
◉ Learn Docker
◉ Learn Kubernetes (and probably use services; EKS, RDS on
AWS).

38. Automate your security
◉ Test your weaknesses
◉ Reduce your effort
◉ Speed is essential - time is your non-transferable resource

39. We probably already know what our
greatest strength is…
Each other.

40. Any questions?
https://www.surveymonkey.com/r/QTLXNVQ
You can find me at
◉ @hn_will
◉ linkedin.com/in/willhallonline
◉ willhallonline.co.uk
Thanks!

41. Credits
Special thanks to all the people who made and
released these awesome resources for free:
◉ Presentation template by SlidesCarnival
◉ Photographs by Pixabay