This document contains a presentation about DevSecOps given by Diego Cardoso from GFT. The presentation discusses how security has traditionally been separated from development and operations in the software development lifecycle. It then outlines how DevSecOps aims to integrate security from the beginning through practices like shifting security left to earlier phases, establishing a security mindset across teams, and implementing security testing tools and processes that allow for rapid yet secure delivery. Trends discussed include the growing DevSecOps landscape and focus on topics like cloud security and compliance with data protection regulations like LGPD.
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
DevSecOps: Colocando segurança na esteira
1. Shaping the
future of digital
business
1CONFIDENTIALGFT GROUP 29/08/19
We Innovate, Transform, Deliver
Agosto - 2019
UFSCar – SeCoT XI
DevSecOps: Colocando segurança na esteira
___________________________________________
Diego Cardoso – Head of DevSecOps Practices Brazil
diego.cardoso@gft.com
#TeamGFT #UFSCarSecotXI
2. • Orgulhoso Filho, Marido e Pai
• Graduado em Sistemas da Informação na FSA
• Pós-Graduado em Arquitetura de Software na FIAP
• Certificado Microsoft: MCTS
• Trabalho na GFT (Sorocaba)
• +15 anos Analisando, Codificando e Migrando
• Entusiasta com foco em Arquitetura e Metodologias Ágeis
• Guitarrista enferrujado e gamer nas horas vagas
3. 3GFT GROUP
Shaping the
future of digital
business
Shaping
the future
of digital
business
FORTE PRESENÇA
INTERNACIONAL
Escritórios em
13 países
Alemanha, Brasil,
Canadá, Costa Rica,
França, Espanha, EUA,
Inglaterra, Itália,
México, Polônia, Suíça
e Bélgica.
FORTE PRESENÇA
NACIONAL
Nosso
colaboradores
+ 800
distribuídos em
nossos escritórios de
Alphaville, Sorocaba
e Curitiba.
MODELO GLOBAL
DE ENTREGA
Time Global com
+ 5.500
colaboradores
FOCO EM SERVIÇOS
FINANCEIROS
Receita
R$ 1,8 Bi
prevista de 2018
Somos uma empresa alemã de 30 anos focada na transformação digital para
a indústria financeira.
29/08/2019
DIGITAL
SOLUTIONS
APPLICATION
MANAGEMENT &
OUTSOURCING
CONSULTING
4. 4GFT GROUP
Shaping the
future of digital
business
Workshops
29/08/2019
Eventos aberto para a
comunidade Tech!
A equipe de Technology Communities
da GFT possui um time de
especialistas que está sempre
disseminando conteúdo através de
workshops, palestras e webinar.
Entre eles: Technology Workshop,
CodeN’Beer, CodingDojo,TechTalk, Front-
End Stand-UP Meeting, DES-Conferência
Lean-Agile.
Type here if add
info needed for
every slide
5. 5GFT GROUP
Shaping the
future of digital
business
Vagas
29/08/2019
Mande seu currículo pra gente:
Oportunidades.Brasil@gft.com
Type here if add
info needed for
every slide
facebook.com/gft.br
linkedin.com/company/gft-group
blog.gft.com/br
www.twitter.com/gft_br
@gft_tech
www.gft.com/br
GFT nas mídias sociais:
meetup.com/pt-BR/GFT-LATAM-Meetup
6. Shaping the
future of digital
business
6CONFIDENTIALGFT GROUP
Agenda 1. Software Development
2. DevOps
3. CyberSecurity
4. LGPD
5. DevSecOps
6. OWASP
7. Trends for 2019 / 2020
7. Shaping the
future of digital
business
7CONFIDENTIALGFT GROUP
API
Management
Aspects
Waterfall
• Over Planning
• Risk Mitigation
• High Costs
• Delivery everything in the end
Agile :
• Experiments and Prototype
• Fail Fast and Low Costs
• Continuous and Evolutive Delivery
Software Development – Methodologies
8. Shaping the
future of digital
business
8CONFIDENTIALGFT GROUP
API
Management
Aspects
Software Development – Before DevOps
9. Shaping the
future of digital
business
9CONFIDENTIALGFT GROUP
API
Management
Aspects
Software Development – DevOps Enablement
• Squads: Dev + Ops + QA
• Engineering (automating) Agile process
• Quick time to market (ROI)
10. Shaping the
future of digital
business
10CONFIDENTIALGFT GROUP
API
Management
Aspects
Software Development - But where is security team ?
11. Shaping the
future of digital
business
11CONFIDENTIALGFT GROUP
API
Management
Aspects
Software Development - But where is security team ?
12. Shaping the
future of digital
business
12CONFIDENTIALGFT GROUP
API
Management
Aspects
CyberSecurity – Let’s check the News
13. Shaping the
future of digital
business
13CONFIDENTIALGFT GROUP
API
Management
Aspects
CyberSecurity – Statistics you should know for 2019
14. Shaping the
future of digital
business
14CONFIDENTIALGFT GROUP
API
Management
Aspects
CyberSecurity – Statistics you should know for 2019
15. Shaping the
future of digital
business
15CONFIDENTIALGFT GROUP
API
Management
Aspects
LGPD – Lei Geral de Proteção de Dados (GDPR)
16. Shaping the
future of digital
business
16CONFIDENTIALGFT GROUP
29.08.2019
Type here if add info
needed for every
slide
Source: Gartner 2018
Source: RightScale 2018
17. Shaping the
future of digital
business
17CONFIDENTIALGFT GROUP
29.08.2019
Type here if add info
needed for every
slide
Source: Gartner
18. Shaping the
future of digital
business
18CONFIDENTIALGFT GROUP
Understanding Concepts
#DevSecOps #SRE #BeTransformationAgent
19. Shaping the
future of digital
business
19CONFIDENTIALGFT GROUP
Mindset: everyone is responsible for security
Goal: privacy and secure by design
Mission: delivery at speed and scale
without sacrificing the safety required by the context.
DEVELOPERS : OPERATIONS : SECURITY
100 : 10 : 1
DevSecOps = DevOps + Security
20. Shaping the
future of digital
business
20CONFIDENTIALGFT GROUP
DevSecOps – The Evolution of Security Teams
21. Shaping the
future of digital
business
21CONFIDENTIALGFT GROUP
API
Management
Aspects
DevSecOps – Enabling evolutive security
22. Shaping the
future of digital
business
22CONFIDENTIALGFT GROUP
API
Management
Aspects
DevSecOps – Security shifting to the left
Requirements
Design/ Architecture
Testing
15X
Coding
7X
Deployments/
Maintenance
30X
CosttoRemediate
We convince & pay the developer
to fix it thereby delaying the
release
QA finds
vulnerabilities
in software
Somebody builds
insecure software
We convince
and pay the
developer to
fix it
We are breached or
pay to have someone
tell us our code is bad
IT deploys
the insecure
software
Somebody
builds
insecure
software
Application scan:
SAST
DAST
Create Evil Stories
High Level of Test
Coverage
23. Shaping the
future of digital
business
23CONFIDENTIALGFT GROUP
Creating the Mindset :
• Security Awareness
• Secure coding training
• Shared knowledge base
• Focused Hackathons
Questions you should be able to answer:
• Top risks/vulnerabilities (OWASP)
• Code contain Hard-coded secrets
• 3rd party libraries have known security issues
Test
• SAST + DAST + RAST
• Sensitive info scan
• Fuzzing
DevSecOps – Leading the transformation
24. Shaping the
future of digital
business
24CONFIDENTIALGFT GROUP
API
Management
Aspects
OWASP – Open Web Application Security Project
Top 5 Vulnerabilities
25. Shaping the
future of digital
business
25CONFIDENTIALGFT GROUP
API
Management
Aspects
OWASP – SQL Injection
26. Shaping the
future of digital
business
26CONFIDENTIALGFT GROUP
API
Management
Aspects
OWASP – SQL Injection
27. Shaping the
future of digital
business
27CONFIDENTIALGFT GROUP
API
Management
Aspects
OWASP – SQL Injection
28. Shaping the
future of digital
business
28CONFIDENTIALGFT GROUP
Trends for 2019 / 2020
#DevSecOps #SRE #BeTransformationAgent
29. Shaping the
future of digital
business
29CONFIDENTIALGFT GROUP
29/08/2019
DevOps – Landscape 2019
30. Shaping the
future of digital
business
30CONFIDENTIALGFT GROUP
CyberSecurity – Landscape 2019
32. Shaping the
future of digital
business
32CONFIDENTIALGFT GROUP
Conclusion – State of DevSecOps 2019
33. Shaping the
future of digital
business
33CONFIDENTIALGFT GROUP
Agosto - 2019
We Innovate, Transform, Deliver
UFSCar – SeCoT XI
DevSecOps: Colocando segurança na esteira
___________________________________________
Diego Cardoso – Head of DevSecOps Brazil
diego.cardoso@gft.com
#TeamGFT #UFSCarSecotXI
Muito Obrigado! Perguntas?