Davide Benvegnù, profile picture
Uploaded byDavide Benvegnù
PPTX, PDF72 views

DevSecOps Done Right - Strategies and Tools.pptx

The document discusses the implementation of DevSecOps, highlighting the importance of integrating security throughout the development lifecycle rather than treating it as an afterthought. Key strategies include a shift-left approach, collaborative responsibility for security among all team members, and the use of various tools for effective security operations. It emphasizes that security should be pervasive and user-friendly, ultimately making it a natural part of the DevOps process.

Embed presentation

Download to read offline
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level DevSecOps Done Right: Strategies and Tools Davide Benvegnu
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Who is me… Davide Benvegnu DevOps and Infra Lead, PlayStudios 2
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Who is me… Davide Benvegnu DevOps and Infra Lead, PlayStudios 3 Microsoft MVP Allegedly Famous YouTuber Landscape photographer Former MMA fighter
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Applied Security
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Development & Branching Change Management Quality Assurance Processes Infrastructure Automation SECURITY Release Engineering Performance Monitoring
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Bad – No Security
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Bad – Security as an afterthought
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Still Bad - Detached
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Good – Security everywhere, at any moment
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Shift Left
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Shift Left on Security
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Shift Left on Security
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level The earlier we remediate, the better Development Build Test/QA Production Breach Remediation Costs SDLC Stages Develop Build Test Deploy Breach $80 $240 $960 $7,600 $ Millions Sources: NIST, Polemon Institute
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Shift Left on Security
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Shift Left on Security
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security as Responsibility
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security for everyone PO Security in Epics PM Security in Features DEV Secure(d) Development TESTER Security Testing OPS Security Monitoring … … …
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security teams reinvented
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security for everyone
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security for everyone
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Just everyone
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level DevSecOps Practices
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security Work in the Backlog
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security through the whole process Sprint • Security work taken into Sprint Active • Topic branch linked to item for traceability Pull Request • PR changes must pass security scanning and policies Merge • Continuous Integration Build from Main Pre-Prod • Security and Vulnerability tests must pass 100% Release • Progressive deploy across stages with release gates
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Assume Breach  Initially double-blind test  Over time, eliminated blue team vs. Shifted left to prevent top risks  Credential theft  Secret leakage  OSS vulnerabilities
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level DevSecOps for each pillar
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Definition of DevOps DevOps is the union of people, processes, and products to enable continuous delivery of value to your end users. “ ” Donovan Brown
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level People • Education • Security first mindset • Assumed breach • Protect Credentials Processes • Secure Development Lifecycle • Threat Modeling • Security Assessments • Red-Blue Team Exercises (War Games) • Code Reviews • Limited Production Access • Immutable Infrastructure • Progressive Exposure Products (Technologies, Tools) • Release automation • Infrastructure/Config as Code • Static Code Analysis / Static Application Security Testing (SAST) • Dynamic Application Security Testing (DAST) • Credential Scanning • Secrets Management • Known Vulnerabilities DevSecOps for the three DevOps Pillars
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level About Tools
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level How to Select Tools • Developer-friendly • Fast yet reliable • Local • CI • CD • Minimal false positive rate
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level How and What
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Integrated Cloud Provider IDE & VCS Examples: GitHub Advanced Security • Secret Scanning • Code Scanning • Dependency Scanning • SARIF Support GitLab Application Security • Same as GHAS • IaC Scanning VSCode Extensions … Examples: Azure Security Center Azure Monitor AWS Cloud Security AWS Cloudwatch GCP Security Command Center GCP Chronicle Security Ops. …
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Integrated or Integratable Cloud Provider IDE & VCS 3rd-party Examples: GitHub Advanced Security • Secret Scanning • Code Scanning • Dependency Scanning • SARIF Support GitLab Application Security • Same as GHAS • IaC Scanning VSCode Extensions … Examples: Azure Security Center Azure Monitor AWS Cloud Security AWS Cloudwatch GCP Security Command Center GCP Chronicle Security Ops. … Examples: Well… As long as we can have a Single Pane of Glass solution
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Keep Your Secrets… Secret! Use an KMS, HSM • Secrets, Keys, Certificates Prefer Native Ones • Unless you’re going MultiCloud • or hybrid • or regulations Live Applications CI/CD Live Systems • TDE, SSL Certs, Encryption at Rest, …
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Container Image Scan
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Prevent K8S Misconfigurations From Reaching Production Manual code review is time-consuming and error-prone Automate: • Schema Validation • Best Practices Validation • Policy Enforcement
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Summary
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level • Security is not just for security people • Security everywhere, at every time • Apply DevSecOps to People, Processes, and Products • Choose tools that people would want to use • It is just DevOps… make it so Recap
Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level youtube.com/CoderDave @DavideBenvegnu github.com/n3wt0n linkedin.com/in/davidebenvegnu davide.ph 📷

More Related Content

PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PPTX
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
PPTX
S360 2015 dev_secops_program
byShannon Lietz
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PPTX
Dev Breakfast: Level up to DevSecOps
bykieranjacobsen
 
PDF
DevSecOps for Developers, How To Start (ETC 2020)
byPatricia Aas
 
PPTX
DevSecOps in 10 minutes
bykieranjacobsen
 
Introduction to DevSecOps
byabhimanyubhogwan
 
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
S360 2015 dev_secops_program
byShannon Lietz
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
Dev Breakfast: Level up to DevSecOps
bykieranjacobsen
 
DevSecOps for Developers, How To Start (ETC 2020)
byPatricia Aas
 
DevSecOps in 10 minutes
bykieranjacobsen
 

Similar to DevSecOps Done Right - Strategies and Tools.pptx

PPTX
How not to fall into the DevSecOps trap
byMatteo Emili
 
PDF
To boldly go where no one has gone before: life after the DevSecOps transform...
byJakub "Kuba" Sendor
 
PPTX
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
PPTX
State of DevSecOps - DevOpsDays Jakarta 2019
byStefan Streichsbier
 
PDF
The State of DevSecOps
byDevOps Indonesia
 
PDF
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
PPTX
State of DevSecOps - GTACS 2019
byStefan Streichsbier
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PDF
DevSecOps What Why and How
byNotSoSecure Global Services
 
PPTX
Turning security into code by Jeff Williams
byDevSecCon
 
PPTX
Solnet dev secops meetup
bypbink
 
PDF
Security as Code (Second Early Release) Bk Sarthak Das
bymagaudzontar
 
PDF
Security as Code (Second Early Release) Bk Sarthak Das
byminroyallugg
 
PPTX
Securing Applications
byMark Harrison
 
PPTX
How to Get Started with DevSecOps
byCYBRIC
 
PDF
Security at the Speed of Software Development
byDevOps.com
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PDF
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
byAlex Senkevitch
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
How not to fall into the DevSecOps trap
byMatteo Emili
 
To boldly go where no one has gone before: life after the DevSecOps transform...
byJakub "Kuba" Sendor
 
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
State of DevSecOps - DevOpsDays Jakarta 2019
byStefan Streichsbier
 
The State of DevSecOps
byDevOps Indonesia
 
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
State of DevSecOps - GTACS 2019
byStefan Streichsbier
 
The What, Why, and How of DevSecOps
byCprime
 
DevSecOps What Why and How
byNotSoSecure Global Services
 
Turning security into code by Jeff Williams
byDevSecCon
 
Solnet dev secops meetup
bypbink
 
Security as Code (Second Early Release) Bk Sarthak Das
bymagaudzontar
 
Security as Code (Second Early Release) Bk Sarthak Das
byminroyallugg
 
Securing Applications
byMark Harrison
 
How to Get Started with DevSecOps
byCYBRIC
 
Security at the Speed of Software Development
byDevOps.com
 
The Future of DevSecOps
byStefan Streichsbier
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
byAlex Senkevitch
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 

More from Davide Benvegnù

PPTX
Secure Your Open Source Projects For Free
byDavide Benvegnù
 
PPTX
Microsoft Skills Bootcamp - The power of GitHub and Azure
byDavide Benvegnù
 
PPTX
All Around Azure: DevOps with GitHub - Managing the Flow of Work
byDavide Benvegnù
 
PPTX
CI CD per .Net 5? Facile con Azure Pipelines e GitHub Actions
byDavide Benvegnù
 
PPTX
GitHub Actions: your free CI engine (and much more)
byDavide Benvegnù
 
PPTX
Life of a Remote Developer - Productivity tips (MSBuild 2020)
byDavide Benvegnù
 
PPTX
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
byDavide Benvegnù
 
PPTX
Debugging and Interacting with Production Applications - MS Online Tech Forum
byDavide Benvegnù
 
PPTX
Architect your app modernization journey with containers on Microsoft Azure
byDavide Benvegnù
 
PPTX
Build 2019 HK - Deep Dive notable announcements
byDavide Benvegnù
 
PPTX
How I choose which services to use in Azure
byDavide Benvegnù
 
PPTX
Secure your applications with Azure AD and Key Vault
byDavide Benvegnù
 
PPTX
Microservices with Azure Service Fabric
byDavide Benvegnù
 
PPTX
Develop a Serverless Integration Platform for the Enterprise
byDavide Benvegnù
 
PPTX
.NET microservices with Azure Service Fabric
byDavide Benvegnù
 
PPTX
SharePoint Disaster Recovery in Microsoft Azure
byDavide Benvegnù
 
PPTX
Microsoft TechSummit - Deploy your Solution to IaaS and PaaS with VSTS and Az...
byDavide Benvegnù
 
PPTX
VS2017PI - Le novità di visual studio team services
byDavide Benvegnù
 
PPTX
Accelerate Your Bot Development with DevOps
byDavide Benvegnù
 
PPTX
Microsoft <3 Open Source
byDavide Benvegnù
 
Secure Your Open Source Projects For Free
byDavide Benvegnù
 
Microsoft Skills Bootcamp - The power of GitHub and Azure
byDavide Benvegnù
 
All Around Azure: DevOps with GitHub - Managing the Flow of Work
byDavide Benvegnù
 
CI CD per .Net 5? Facile con Azure Pipelines e GitHub Actions
byDavide Benvegnù
 
GitHub Actions: your free CI engine (and much more)
byDavide Benvegnù
 
Life of a Remote Developer - Productivity tips (MSBuild 2020)
byDavide Benvegnù
 
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
byDavide Benvegnù
 
Debugging and Interacting with Production Applications - MS Online Tech Forum
byDavide Benvegnù
 
Architect your app modernization journey with containers on Microsoft Azure
byDavide Benvegnù
 
Build 2019 HK - Deep Dive notable announcements
byDavide Benvegnù
 
How I choose which services to use in Azure
byDavide Benvegnù
 
Secure your applications with Azure AD and Key Vault
byDavide Benvegnù
 
Microservices with Azure Service Fabric
byDavide Benvegnù
 
Develop a Serverless Integration Platform for the Enterprise
byDavide Benvegnù
 
.NET microservices with Azure Service Fabric
byDavide Benvegnù
 
SharePoint Disaster Recovery in Microsoft Azure
byDavide Benvegnù
 
Microsoft TechSummit - Deploy your Solution to IaaS and PaaS with VSTS and Az...
byDavide Benvegnù
 
VS2017PI - Le novità di visual studio team services
byDavide Benvegnù
 
Accelerate Your Bot Development with DevOps
byDavide Benvegnù
 
Microsoft <3 Open Source
byDavide Benvegnù
 

Recently uploaded

PDF
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
PDF
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
PDF
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
PPTX
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
DOCX
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PDF
IAI-Unit1-notes useful.............................
bydinesh620610
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PDF
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
PDF
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PDF
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PDF
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
PDF
AI Driven & AI Native Development AI native development
byZainKarim7
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PDF
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
IAI-Unit1-notes useful.............................
bydinesh620610
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
AI Driven & AI Native Development AI native development
byZainKarim7
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 

DevSecOps Done Right - Strategies and Tools.pptx

  • 1.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level DevSecOps Done Right: Strategies and Tools Davide Benvegnu
  • 2.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Who is me… Davide Benvegnu DevOps and Infra Lead, PlayStudios 2
  • 3.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Who is me… Davide Benvegnu DevOps and Infra Lead, PlayStudios 3 Microsoft MVP Allegedly Famous YouTuber Landscape photographer Former MMA fighter
  • 4.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Applied Security
  • 5.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Development & Branching Change Management Quality Assurance Processes Infrastructure Automation SECURITY Release Engineering Performance Monitoring
  • 6.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Bad – No Security
  • 7.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Bad – Security as an afterthought
  • 8.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Still Bad - Detached
  • 9.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Good – Security everywhere, at any moment
  • 10.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Shift Left
  • 11.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Shift Left on Security
  • 12.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Shift Left on Security
  • 13.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level The earlier we remediate, the better Development Build Test/QA Production Breach Remediation Costs SDLC Stages Develop Build Test Deploy Breach $80 $240 $960 $7,600 $ Millions Sources: NIST, Polemon Institute
  • 14.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Shift Left on Security
  • 15.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Shift Left on Security
  • 16.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security as Responsibility
  • 17.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security for everyone PO Security in Epics PM Security in Features DEV Secure(d) Development TESTER Security Testing OPS Security Monitoring … … …
  • 18.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security teams reinvented
  • 19.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security for everyone
  • 20.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security for everyone
  • 21.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Just everyone
  • 22.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level DevSecOps Practices
  • 23.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security Work in the Backlog
  • 24.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Security through the whole process Sprint • Security work taken into Sprint Active • Topic branch linked to item for traceability Pull Request • PR changes must pass security scanning and policies Merge • Continuous Integration Build from Main Pre-Prod • Security and Vulnerability tests must pass 100% Release • Progressive deploy across stages with release gates
  • 25.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Assume Breach  Initially double-blind test  Over time, eliminated blue team vs. Shifted left to prevent top risks  Credential theft  Secret leakage  OSS vulnerabilities
  • 26.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level DevSecOps for each pillar
  • 27.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Definition of DevOps DevOps is the union of people, processes, and products to enable continuous delivery of value to your end users. “ ” Donovan Brown
  • 28.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level People • Education • Security first mindset • Assumed breach • Protect Credentials Processes • Secure Development Lifecycle • Threat Modeling • Security Assessments • Red-Blue Team Exercises (War Games) • Code Reviews • Limited Production Access • Immutable Infrastructure • Progressive Exposure Products (Technologies, Tools) • Release automation • Infrastructure/Config as Code • Static Code Analysis / Static Application Security Testing (SAST) • Dynamic Application Security Testing (DAST) • Credential Scanning • Secrets Management • Known Vulnerabilities DevSecOps for the three DevOps Pillars
  • 29.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level About Tools
  • 30.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level How to Select Tools • Developer-friendly • Fast yet reliable • Local • CI • CD • Minimal false positive rate
  • 31.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level How and What
  • 32.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Integrated Cloud Provider IDE & VCS Examples: GitHub Advanced Security • Secret Scanning • Code Scanning • Dependency Scanning • SARIF Support GitLab Application Security • Same as GHAS • IaC Scanning VSCode Extensions … Examples: Azure Security Center Azure Monitor AWS Cloud Security AWS Cloudwatch GCP Security Command Center GCP Chronicle Security Ops. …
  • 33.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Integrated or Integratable Cloud Provider IDE & VCS 3rd-party Examples: GitHub Advanced Security • Secret Scanning • Code Scanning • Dependency Scanning • SARIF Support GitLab Application Security • Same as GHAS • IaC Scanning VSCode Extensions … Examples: Azure Security Center Azure Monitor AWS Cloud Security AWS Cloudwatch GCP Security Command Center GCP Chronicle Security Ops. … Examples: Well… As long as we can have a Single Pane of Glass solution
  • 34.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Keep Your Secrets… Secret! Use an KMS, HSM • Secrets, Keys, Certificates Prefer Native Ones • Unless you’re going MultiCloud • or hybrid • or regulations Live Applications CI/CD Live Systems • TDE, SSL Certs, Encryption at Rest, …
  • 35.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Container Image Scan
  • 36.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Prevent K8S Misconfigurations From Reaching Production Manual code review is time-consuming and error-prone Automate: • Schema Validation • Best Practices Validation • Policy Enforcement
  • 37.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Summary
  • 38.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level • Security is not just for security people • Security everywhere, at every time • Apply DevSecOps to People, Processes, and Products • Choose tools that people would want to use • It is just DevOps… make it so Recap
  • 39.
    Click to editMaster title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level youtube.com/CoderDave @DavideBenvegnu github.com/n3wt0n linkedin.com/in/davidebenvegnu davide.ph 📷