Had a session at the "Empowering Digital Trust: Data Security and Beyond" event organized by Thales Data Security. The event was free and open to the public.

1. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
DevSecOps Done
Right:
Strategies and Tools
Davide Benvegnu

2. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Who is me…
Davide Benvegnu
DevOps and Infra Lead, PlayStudios
2

3. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Who is me…
Davide Benvegnu
DevOps and Infra Lead, PlayStudios
3
Microsoft MVP
Allegedly Famous YouTuber
Landscape photographer
Former MMA fighter

4. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Applied Security

5. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Development
& Branching
Change
Management
Quality
Assurance
Processes
Infrastructure
Automation
SECURITY
Release
Engineering
Performance
Monitoring

6. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Bad – No Security

7. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Bad – Security as an afterthought

8. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Still Bad - Detached

9. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Good – Security everywhere, at any moment

10. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Shift Left

11. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Shift Left on Security

12. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Shift Left on Security

13. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
The earlier we remediate, the better
Development Build Test/QA Production Breach
Remediation
Costs
SDLC
Stages
Develop Build Test Deploy Breach
$80 $240
$960
$7,600
$ Millions
Sources: NIST, Polemon Institute

14. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Shift Left on Security

15. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Shift Left on Security

16. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Security as Responsibility

17. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Security for everyone
PO
Security
in Epics
PM
Security
in Features
DEV
Secure(d)
Development
TESTER
Security
Testing
OPS
Security
Monitoring
…
…
…

18. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Security teams reinvented

19. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Security for everyone

20. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Security for everyone

21. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Just everyone

22. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
DevSecOps Practices

23. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Security Work in the Backlog

24. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Security through the whole process
Sprint
• Security work taken into Sprint
Active
• Topic branch linked to item for traceability
Pull
Request
• PR changes must pass security scanning and policies
Merge
• Continuous Integration Build from Main
Pre-Prod
• Security and Vulnerability tests must pass 100%
Release
• Progressive deploy across stages with release gates

25. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Assume Breach
 Initially double-blind test
 Over time, eliminated blue team
vs.
Shifted left to prevent top risks
 Credential theft
 Secret leakage
 OSS vulnerabilities

26. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
DevSecOps for each pillar

27. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Definition of DevOps
DevOps is the union of
people, processes, and
products to enable
continuous delivery of
value to your end users.
“
”
Donovan Brown

28. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
People
• Education
• Security first mindset
• Assumed breach
• Protect Credentials
Processes
• Secure Development Lifecycle
• Threat Modeling
• Security Assessments
• Red-Blue Team Exercises (War Games)
• Code Reviews
• Limited Production Access
• Immutable Infrastructure
• Progressive Exposure
Products (Technologies, Tools)
• Release automation
• Infrastructure/Config as Code
• Static Code Analysis /
Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Credential Scanning
• Secrets Management
• Known Vulnerabilities
DevSecOps for the three DevOps Pillars

29. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
About Tools

30. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
How to Select Tools
• Developer-friendly
• Fast yet reliable
• Local
• CI
• CD
• Minimal false positive rate

31. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
How and What

32. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Integrated
Cloud Provider
IDE & VCS
Examples:
GitHub Advanced Security
• Secret Scanning
• Code Scanning
• Dependency Scanning
• SARIF Support
GitLab Application Security
• Same as GHAS
• IaC Scanning
VSCode Extensions
…
Examples:
Azure Security Center
Azure Monitor
AWS Cloud Security
AWS Cloudwatch
GCP Security Command Center
GCP Chronicle Security Ops.
…

33. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Integrated or Integratable
Cloud Provider
IDE & VCS 3rd-party
Examples:
GitHub Advanced Security
• Secret Scanning
• Code Scanning
• Dependency Scanning
• SARIF Support
GitLab Application Security
• Same as GHAS
• IaC Scanning
VSCode Extensions
…
Examples:
Azure Security Center
Azure Monitor
AWS Cloud Security
AWS Cloudwatch
GCP Security Command Center
GCP Chronicle Security Ops.
…
Examples:
Well…
As long as we can have a
Single Pane of Glass solution

34. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Keep Your Secrets… Secret!
Use an KMS, HSM
• Secrets, Keys, Certificates
Prefer Native Ones
• Unless you’re going MultiCloud
• or hybrid
• or regulations
Live Applications
CI/CD
Live Systems
• TDE, SSL Certs, Encryption at Rest, …

35. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Container Image Scan

36. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Prevent K8S Misconfigurations From Reaching
Production
Manual code review is time-consuming and
error-prone
Automate:
• Schema Validation
• Best Practices Validation
• Policy Enforcement

37. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Summary

38. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
• Security is not just for security people
• Security everywhere, at every time
• Apply DevSecOps to People, Processes, and Products
• Choose tools that people would want to use
• It is just DevOps… make it so
Recap

39. Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
youtube.com/CoderDave
@DavideBenvegnu
github.com/n3wt0n
linkedin.com/in/davidebenvegnu
davide.ph
📷