SlideShare a Scribd company logo

DevSecOps | How hard it is?

PhishX
PhishX

Apresentação realizada pelo Thiago Ribeiro, sobre como implementar uma cultura de DevSecOps na prática, ocorrida no PhishX Summit de Junho/2018.

Technology
1 of 27
Download to read offline
dev sec ops HOW HARD IT IS Thiago Ribeiro github.com/ribeiroit . twitter.com/ribeiroit
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit agenda ● about me ● why devsecops? ● quick concepts ● myths ● cultural change ● tips ● responsabilities ● q&a
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit about me ● 97 / helpdesk internet provider ● 00 / sysadm / web developer ● 06 / it manager ● 09 / sysadm / infra developer ● 12 / backend developer ● 14 / security architect ● 18 / head of appsec 1 ● tech data processing ● grad industrial design ● mba it management ● ms production engineering [aborted] ● itil / cobit / project management / lean / cybersecurity / cloud computing / opensource experience professional experience education
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 2 cybersecurity: technologies + processes + practices = protect enterprise goods application security + information security + network security + disaster recovery + business continuity + operational security + end user education source: http://whatis.techtarget.com/definition/cybersecurity
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 3 fix a web application ranges from $400 to $4000 depending on vulnerability source: http://www.darkreading.com/risk/the-cost-of-fixing-an- application-vulnerability/d/d-id/1131049? $$ � it is not about computers. it is about branding and reputation.
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 4 sox handle requirements from regulators and introduce maturity models concepts on sdlc. pci hipaacsa iso 27001 opensamm bsimm bacen
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 5 understand security metrics during the sdlc. great opportunity to get the “time to fix” from the teams and handle risks accurately. it is a lead time question.
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 6 dev repo build deploy blackhat simple attack scenario vulnerability fix development vulnerabilities before being deployed in prod.
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 7 dev repo build deploy blackhat advanced attack scenario confidential files ops vulnerability malware help to protect information leakage.
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit quick concepts 8 • sast – static analysis security testing • dast – dynamic analysis security testing • waf – web application firewall • pentesting – security penetration tests • rasp – runtime application self- protection • owasp – open web application security project • asvs – application security verification standard • soc – security operations center • iast – interactive appsec testing
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit myths 9 people often sell devops like they are selling bananas. devops is a complex ecosystem and demands many hours of implementation. there is no silver bullet. it's hard to scale devops in big companies. “ ”
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit myths 10 problems? just install docker to get the things done. support containers on high availability is not a piece of cake. problems like networking policies and data volumes are not too easy to be implemented. all the people “layers” must be solved to implement containers. take care about using containers, it could host a malware on that. “ ”
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit myths 11 static analysis of security testing are enough to keep you protected. it's hard to make devs understand all the threats that they could be vulnerable. fix vulnerabilities can take a long time. fix vulnerabilities might generate new vulnerabilities. consider have a waf or rasp to be covered. “ ”
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit myths 12 12factors. Whaaattt? that's not easy to find developers that can absorb the 12factors and deliver them. it is a big challenge to maintain a devsecops process running. it demands massive comunication and iteration with the crew. “ ”
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit cultural change 13 developers think that they will deliver software in production easely. devsecops is much more responsability than facilitation. apply different gates to different teams based on maturity of them. create KPIs to measure the maturity. great power comes with great responsabilities. “ ”
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit cultural change 14 the team members don't understand about the data classification and what they need to protect. your company should have a good aproach about data classification and awareness the team about what they handle. a good education program about risks can help the team to understand the value of the information. “ ”
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit cultural change 15 product owners must consider security tests as 'valuable deliverable' onto their products. security is still considered a pain in the ass to many people. some applications need manual tests to go deeper in some attacks scenarios. automated dynamic analysis can speedy the releases, but that's not enough. “ ”
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 16 know your enemies and threats. * must know about OWASP Top 10 * must know about SANS 25 if you don't know how to attack, how could you defend? sql injection appeared in 98 and it still continues on the top vulnerabilities.
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 16 start everything classifying risks and validating requirements owasp asvs can help you to validate your technical security controls keep your application inventory updated. ref: https://github.com/aparsons/bag-of-holding ref: https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 17 add sast to your pipeline * save money and time to grab and fix vulnerabilities * sast helps to scale your team knowledge and understanding * it keeps your code safer, even the best makes mistakes. * establish a code reviewing process to critical code. double checking really matters. ref: https://www.owasp.org/index.php/Source_Code_Analysis_Tools GAS
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 18 invest time coding automated tests whatever the layer you should guarantee. * automate functional tests * automate vulnerability tests * automate infra-structure scans * prioritize your efforts by the risks. NAPALM
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 19 threat modeling can help you to understand threats and risks on your solution and to apply the correct countermeasures. * keep your solutions' documentation and diagrams updated * perform express threat modeling sessions with your team * create a security check list and try to automate that
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 20 always automate infra-structure to keep hardening itens in place. good aproach to make inventory management and apply patches in a risk situation. * pay attention to microsegmentation and guarantee free access to your vulnerability scanners. * always consider automation as a defensive factor.
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 21 continuous logging can help you to handle loglevels in different rbac scenarios. interface to help developers to figure out application debugging without login to production. integrate OPS logs to behavior analysis can help you to mitigate attacks or trigger automatic fixes. availability is part of security. amplifying SOC visibility.
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 22 building enterprise secure components can help you to scale security inside your company. put the smart people to generate smart solutions and distribute them over the organization. libraries and software dependencies are 80% of the whole application.
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit education and support 23 establish a security champions program. invest time and money to guarantee the continuous learning about security and new threats to your crew. start internal initiatives to share knowledge with team: tech talks, lightining talks, etc. work together with human resources to create gamification programs.
dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit q&a ?? ?? ?? ?? thanks! get in touch on my twitter or github.

Recommended

The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
James Wickett
 
DevSecOps and the New Path Forward
DevSecOps and the New Path ForwardDevSecOps and the New Path Forward
DevSecOps and the New Path Forward
James Wickett
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
HackerOne
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and People
James Wickett
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
James Wickett
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
James Wickett
 

Recommended

The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
James Wickett
 
DevSecOps and the New Path Forward
DevSecOps and the New Path ForwardDevSecOps and the New Path Forward
DevSecOps and the New Path Forward
James Wickett
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
HackerOne
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and People
James Wickett
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
James Wickett
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
James Wickett
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
Talent Agile @ Avanade
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
Omid Vahdaty
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using Cypress
Maurice De Beijer [MVP]
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
Defense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentDefense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software Development
James Wickett
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Codemotion
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecAppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
James Wickett
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
Ives Laaf
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
Codemotion
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
gitlab-seismic-shift-in-application-security-whitepaper.pptx
gitlab-seismic-shift-in-application-security-whitepaper.pptxgitlab-seismic-shift-in-application-security-whitepaper.pptx
gitlab-seismic-shift-in-application-security-whitepaper.pptx
cueehvyohddgqmvstn
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
Achim D. Brucker
 

More Related Content

What's hot

The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
Talent Agile @ Avanade
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
Omid Vahdaty
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using Cypress
Maurice De Beijer [MVP]
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
Defense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentDefense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software Development
James Wickett
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Codemotion
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
DevSecOps Days
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecAppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
James Wickett
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
Felicia Haggarty
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
Ives Laaf
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
Codemotion
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 

What's hot (20)

The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using Cypress
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
 
Defense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software DevelopmentDefense-Oriented DevOps for Modern Software Development
Defense-Oriented DevOps for Modern Software Development
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecAppSec California 2018: The Path of DevOps Enlightenment for InfoSec
AppSec California 2018: The Path of DevOps Enlightenment for InfoSec
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 

Similar to DevSecOps | How hard it is?

gitlab-seismic-shift-in-application-security-whitepaper.pptx
gitlab-seismic-shift-in-application-security-whitepaper.pptxgitlab-seismic-shift-in-application-security-whitepaper.pptx
gitlab-seismic-shift-in-application-security-whitepaper.pptx
cueehvyohddgqmvstn
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
Achim D. Brucker
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
DevOps Indonesia
 
Product Security
Product SecurityProduct Security
Product Security
Steven Carlson
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteira
Diego Gabriel Cardoso
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
Haydn Johnson
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
Stefan Streichsbier
 
Developers Driving DevOps at Scale: 5 Keys to Success
Developers Driving DevOps at Scale: 5 Keys to SuccessDevelopers Driving DevOps at Scale: 5 Keys to Success
Developers Driving DevOps at Scale: 5 Keys to Success
DevOps.com
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
DevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteira
Diego Gabriel Cardoso
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
Franklin Mosley
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
gjdevos
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Achim D. Brucker
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdf
Steven Carlson
 

Similar to DevSecOps | How hard it is? (20)

gitlab-seismic-shift-in-application-security-whitepaper.pptx
gitlab-seismic-shift-in-application-security-whitepaper.pptxgitlab-seismic-shift-in-application-security-whitepaper.pptx
gitlab-seismic-shift-in-application-security-whitepaper.pptx
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
 
Product Security
Product SecurityProduct Security
Product Security
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteira
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
 
Developers Driving DevOps at Scale: 5 Keys to Success
Developers Driving DevOps at Scale: 5 Keys to SuccessDevelopers Driving DevOps at Scale: 5 Keys to Success
Developers Driving DevOps at Scale: 5 Keys to Success
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
DevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteira
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Getting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOpsGetting to Know Security and Devs: Keys to Successful DevSecOps
Getting to Know Security and Devs: Keys to Successful DevSecOps
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdf
 

More from PhishX

Palestra sobre Cybersecurity para Startups no CUBO Talks - Realizada em 09/Ab...
Palestra sobre Cybersecurity para Startups no CUBO Talks - Realizada em 09/Ab...Palestra sobre Cybersecurity para Startups no CUBO Talks - Realizada em 09/Ab...
Palestra sobre Cybersecurity para Startups no CUBO Talks - Realizada em 09/Ab...
PhishX
 
Palestra sobre Cybersecurity para o Evento NEXT 2019
Palestra sobre Cybersecurity para o Evento NEXT 2019Palestra sobre Cybersecurity para o Evento NEXT 2019
Palestra sobre Cybersecurity para o Evento NEXT 2019
PhishX
 
Tendência virou realidade | Pedro Waengertner
Tendência virou realidade | Pedro WaengertnerTendência virou realidade | Pedro Waengertner
Tendência virou realidade | Pedro Waengertner
PhishX
 
Seguro Cyber | Ativos intangíveis e o valor na sua empresa
Seguro Cyber | Ativos intangíveis e o valor na sua empresaSeguro Cyber | Ativos intangíveis e o valor na sua empresa
Seguro Cyber | Ativos intangíveis e o valor na sua empresa
PhishX
 
GDPR na nova plataforma PhishX - PhishX Summit de Maio2018
GDPR na nova plataforma PhishX - PhishX Summit de Maio2018GDPR na nova plataforma PhishX - PhishX Summit de Maio2018
GDPR na nova plataforma PhishX - PhishX Summit de Maio2018
PhishX
 
Cybersecurty for People - PhishX Summit de Maio/2018
Cybersecurty for People - PhishX Summit de Maio/2018Cybersecurty for People - PhishX Summit de Maio/2018
Cybersecurty for People - PhishX Summit de Maio/2018
PhishX
 

More from PhishX (6)

Palestra sobre Cybersecurity para Startups no CUBO Talks - Realizada em 09/Ab...
Palestra sobre Cybersecurity para Startups no CUBO Talks - Realizada em 09/Ab...Palestra sobre Cybersecurity para Startups no CUBO Talks - Realizada em 09/Ab...
Palestra sobre Cybersecurity para Startups no CUBO Talks - Realizada em 09/Ab...
 
Palestra sobre Cybersecurity para o Evento NEXT 2019
Palestra sobre Cybersecurity para o Evento NEXT 2019Palestra sobre Cybersecurity para o Evento NEXT 2019
Palestra sobre Cybersecurity para o Evento NEXT 2019
 
Tendência virou realidade | Pedro Waengertner
Tendência virou realidade | Pedro WaengertnerTendência virou realidade | Pedro Waengertner
Tendência virou realidade | Pedro Waengertner
 
Seguro Cyber | Ativos intangíveis e o valor na sua empresa
Seguro Cyber | Ativos intangíveis e o valor na sua empresaSeguro Cyber | Ativos intangíveis e o valor na sua empresa
Seguro Cyber | Ativos intangíveis e o valor na sua empresa
 
GDPR na nova plataforma PhishX - PhishX Summit de Maio2018
GDPR na nova plataforma PhishX - PhishX Summit de Maio2018GDPR na nova plataforma PhishX - PhishX Summit de Maio2018
GDPR na nova plataforma PhishX - PhishX Summit de Maio2018
 
Cybersecurty for People - PhishX Summit de Maio/2018
Cybersecurty for People - PhishX Summit de Maio/2018Cybersecurty for People - PhishX Summit de Maio/2018
Cybersecurty for People - PhishX Summit de Maio/2018
 

Recently uploaded

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 

Recently uploaded (20)

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 

DevSecOps | How hard it is?

  • 1. dev sec ops HOW HARD IT IS Thiago Ribeiro github.com/ribeiroit . twitter.com/ribeiroit
  • 2. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit agenda ● about me ● why devsecops? ● quick concepts ● myths ● cultural change ● tips ● responsabilities ● q&a
  • 3. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit about me ● 97 / helpdesk internet provider ● 00 / sysadm / web developer ● 06 / it manager ● 09 / sysadm / infra developer ● 12 / backend developer ● 14 / security architect ● 18 / head of appsec 1 ● tech data processing ● grad industrial design ● mba it management ● ms production engineering [aborted] ● itil / cobit / project management / lean / cybersecurity / cloud computing / opensource experience professional experience education
  • 4. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 2 cybersecurity: technologies + processes + practices = protect enterprise goods application security + information security + network security + disaster recovery + business continuity + operational security + end user education source: http://whatis.techtarget.com/definition/cybersecurity
  • 5. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 3 fix a web application ranges from $400 to $4000 depending on vulnerability source: http://www.darkreading.com/risk/the-cost-of-fixing-an- application-vulnerability/d/d-id/1131049? $$ � it is not about computers. it is about branding and reputation.
  • 6. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 4 sox handle requirements from regulators and introduce maturity models concepts on sdlc. pci hipaacsa iso 27001 opensamm bsimm bacen
  • 7. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 5 understand security metrics during the sdlc. great opportunity to get the “time to fix” from the teams and handle risks accurately. it is a lead time question.
  • 8. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 6 dev repo build deploy blackhat simple attack scenario vulnerability fix development vulnerabilities before being deployed in prod.
  • 9. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 7 dev repo build deploy blackhat advanced attack scenario confidential files ops vulnerability malware help to protect information leakage.
  • 10. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit quick concepts 8 • sast – static analysis security testing • dast – dynamic analysis security testing • waf – web application firewall • pentesting – security penetration tests • rasp – runtime application self- protection • owasp – open web application security project • asvs – application security verification standard • soc – security operations center • iast – interactive appsec testing
  • 11. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit myths 9 people often sell devops like they are selling bananas. devops is a complex ecosystem and demands many hours of implementation. there is no silver bullet. it's hard to scale devops in big companies. “ ”
  • 12. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit myths 10 problems? just install docker to get the things done. support containers on high availability is not a piece of cake. problems like networking policies and data volumes are not too easy to be implemented. all the people “layers” must be solved to implement containers. take care about using containers, it could host a malware on that. “ ”
  • 13. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit myths 11 static analysis of security testing are enough to keep you protected. it's hard to make devs understand all the threats that they could be vulnerable. fix vulnerabilities can take a long time. fix vulnerabilities might generate new vulnerabilities. consider have a waf or rasp to be covered. “ ”
  • 14. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit myths 12 12factors. Whaaattt? that's not easy to find developers that can absorb the 12factors and deliver them. it is a big challenge to maintain a devsecops process running. it demands massive comunication and iteration with the crew. “ ”
  • 15. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit cultural change 13 developers think that they will deliver software in production easely. devsecops is much more responsability than facilitation. apply different gates to different teams based on maturity of them. create KPIs to measure the maturity. great power comes with great responsabilities. “ ”
  • 16. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit cultural change 14 the team members don't understand about the data classification and what they need to protect. your company should have a good aproach about data classification and awareness the team about what they handle. a good education program about risks can help the team to understand the value of the information. “ ”
  • 17. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit cultural change 15 product owners must consider security tests as 'valuable deliverable' onto their products. security is still considered a pain in the ass to many people. some applications need manual tests to go deeper in some attacks scenarios. automated dynamic analysis can speedy the releases, but that's not enough. “ ”
  • 18. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 16 know your enemies and threats. * must know about OWASP Top 10 * must know about SANS 25 if you don't know how to attack, how could you defend? sql injection appeared in 98 and it still continues on the top vulnerabilities.
  • 19. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 16 start everything classifying risks and validating requirements owasp asvs can help you to validate your technical security controls keep your application inventory updated. ref: https://github.com/aparsons/bag-of-holding ref: https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS
  • 20. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 17 add sast to your pipeline * save money and time to grab and fix vulnerabilities * sast helps to scale your team knowledge and understanding * it keeps your code safer, even the best makes mistakes. * establish a code reviewing process to critical code. double checking really matters. ref: https://www.owasp.org/index.php/Source_Code_Analysis_Tools GAS
  • 21. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 18 invest time coding automated tests whatever the layer you should guarantee. * automate functional tests * automate vulnerability tests * automate infra-structure scans * prioritize your efforts by the risks. NAPALM
  • 22. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 19 threat modeling can help you to understand threats and risks on your solution and to apply the correct countermeasures. * keep your solutions' documentation and diagrams updated * perform express threat modeling sessions with your team * create a security check list and try to automate that
  • 23. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 20 always automate infra-structure to keep hardening itens in place. good aproach to make inventory management and apply patches in a risk situation. * pay attention to microsegmentation and guarantee free access to your vulnerability scanners. * always consider automation as a defensive factor.
  • 24. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 21 continuous logging can help you to handle loglevels in different rbac scenarios. interface to help developers to figure out application debugging without login to production. integrate OPS logs to behavior analysis can help you to mitigate attacks or trigger automatic fixes. availability is part of security. amplifying SOC visibility.
  • 25. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit tips 22 building enterprise secure components can help you to scale security inside your company. put the smart people to generate smart solutions and distribute them over the organization. libraries and software dependencies are 80% of the whole application.
  • 26. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit education and support 23 establish a security champions program. invest time and money to guarantee the continuous learning about security and new threats to your crew. start internal initiatives to share knowledge with team: tech talks, lightining talks, etc. work together with human resources to create gamification programs.
  • 27. dev sec ops HOW HARD IT IS Thiago Ribeiro . github.com/ribeiroit . twitter.com/ribeiroit q&a ?? ?? ?? ?? thanks! get in touch on my twitter or github.