Priyanka Aash, profile picture
Uploaded byPriyanka Aash
PDF, PPTX1,954 views

DevSecOps in Baby Steps

The document discusses moving from traditional security practices to a DevSecOps model where security is integrated into the development lifecycle. It encourages making DevOps the security team's job, hardening the development toolchain, planning security epics and user stories, and sprinting to automate security practices. Specific examples provided include building an AWS Lambda function to respond to CloudTrail events and using AWS CodeDeploy for security tasks like imaging instance memory.

Embed presentation

Download as PDF, PPTX
SESSION ID: #RSAC Hart Rossman DevSecOps in Baby Steps CSV-F03 Amazon Web Services Global Practice Manager- Security, Risk, and Compliance @HartDanger
#RSAC The Journey: Baby Steps to Parkour 2 Getting to DevOps DevOps to DevSecOps Planning your Epics & Sprints Use Cases & Examples
#RSAC In The Beginning There Was NoOps 3
#RSAC Security program – Ownership as part of DNA • Promotes culture of “everyone is an owner” for security • Makes security stakeholder in business success • Enables easier and smoother communication Distributed Embedded
#RSAC Responsibility & Accountability Own it. Govern it. Not my monkeys; not my circus. Operating with Shared Responsibility How do I know? Do I carry a pager for this service? Do I make the rules? Should I be consulted or informed?
#RSAC Security as code 1. Use the cloud to protect the cloud 2. Security infrastructure should be cloud aware 3. Expose security features as services via API 4. Automate everything so everything scales
#RSAC Security as code: Innovation, stability, & security Business Development Operations Build it faster Keep it stable Security Protect it
#RSAC Security as code: A shorter path to the customer Requirements Gathering Release Automated Build and Deploy Some learning Minimal learning Lots of learning
#RSAC Security as code: Deploying more frequently lowers risk Smaller effort “Minimized risk” Frequent release events: “Agile methodology” Time Change Rare release events: “Waterfall methodology” Larger effort “Increased risk” Time Change
#RSAC Version Control CI Server Package Builder Commit to Git/master Dev Get / Pull Code Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Code Config Tests Push Config Repo Continuous Integration
#RSAC Confidence that our code changes will build successfully Increasing velocity of feedback cycle through iterative change Bugs are detected quickly Automated testing reduces size of testing effort Very fast feedback on the things we can test immediately What does CI give us?
#RSAC Continuous Delivery Version Control CI Server Package Builder Deploy ServerCommit to Git/master Dev Get / Pull Code AMIs Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo CloudFormation Templates for Env Generate
#RSAC Automated, repeatable process to push changes to production Hardens, de-risks the deployment process Allows detection of failure as quickly as possible in the build process Supports A/B testing or “We test customer reactions to features in production” Gives us a breadth of data points across our applications What does CD give us?
#RSAC Continuous Delivery System
#RSAC DevOps Continuous Delivery Technology change that enables culture change DevOps Culture change that enables technology change
#RSAC DevOps to DevSecOps
#RSAC DevSecOps: Core Principles 1. Secure the toolchain 2. Armor up the workloads 3. Deploy your security infrastructure through the toolchain
#RSAC DevOps DevSecOps Version Control CI Server Package Builder Deploy ServerCommit to repoDev Pull Code AMIs Send build report to dev and stop everything if build failed Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo AWS CloudFormation templates for Env Generate Security Repository Vulnerability and pen testing •Security Infrastructure tests •Security unit tests in app
#RSAC CI/CD and automation for security infrastructure Version Control Build/ compile code Dev Unit test app code IT Ops DR Env Test Env Prod Env Dev Env Application Write app code Infrastructure CloudFormation tar, war, zip yum, rpmDeploy app Package application Deploy application only Deploy infrastructure only AMI Build AMIs Validate templates Write infra code Deploy infras Automate deployment Artifact Repository
#RSAC Building DevSecOps teams • Make DevOps the security team’s job. • No siloed/walled off DevOps teams. • Encourage {security} developers to participate openly in the automation of operations code. • Embolden {security} operations participation in testing and automation of application code. • Take pride in how fast and frequently you deploy.
#RSAC Planetary Scale from Day 1 Build Security Services Expose features as API Plan for Scale Know your Customers Utilize customer feedback to Iterate Internalize your Metrics, let them guide you
#RSAC Planning your Epics & Sprints
#RSAC Security as code: Agile user stories 1. Epics vs. stories An epic is delivered over many sprints; a user story is delivered in one sprint or less. Icebox backlog  sprint 2. Product owner The product owner decides the priority of each story, is responsible for accepting the story, and is responsible for defining the detailed requirements and detailed acceptance criteria for the story.
#RSAC Security as code: Agile user stories 3. Persona (or role) A persona/role is a fictitious user or actor within or of the system. 4. Acceptance criteria What does good look like? How will we know? 5. Summary format Every story should have the same summary format: As a (persona/role) I want (function) so that (benefit).
#RSAC Security as code: Security Epics Shared Responsibility Model Identity and Access Control Logging and Monitoring Infrastructure Security Data Protection Incident Response & Forensics Configuration and Vulnerability Analysis Big Data and Predictive Analytics
#RSAC Getting Started: IAM Story: As a IAM administrator I want to continually reduce the scope of access for humans even as our platform grows. Passwords and access keys that have not been used recently might be good candidates for removal. Sprint 1: Get credential reports and flag credentials not used in last 45 days. Other sprint ideas can be found at: http://docs.aws.amazon.com/IAM/latest/UserGuide/best- practices.html
#RSAC Getting Started: Logging & Monitoring Story: As a security analyst I want to monitor interactions with AWS API so that we can baseline user behavior Sprint 1: Enable AWS CloudTrail globally Story: As a security operations team member I want to take action on AWS CloudWatch alarms so that we respond responsibly Sprint 2: Integrate alerting into security workflow & ticketing
#RSAC Use Cases & Examples
#RSAC Building a “Lambda Responder” AWS CloudTrail Amazon S3 Amazon SNS
#RSAC Reading events in Lambda exports.handler = function(event,context) { var snsMsgString = JSON.stringify(event.Records[0].Sns.Message); var snsMsgObject = getSNSMessageObject(snsMsgString); var srcBucket = snsMsgObject.Records[0].s3.bucket.name; var srcKey = snsMsgObject.Records[0].s3.object.key; ... function getSNSMessageObject(msgString) { var x = msgString.replace(//g,’’); var y = x.substring(1,x.length-1); var z = JSON.parse(y); return z; }
#RSAC Detecting events in Lambda … var EVENT_SOURCE_TO_TRACK = /cloudtrail.amazonaws.com/; var EVENT_NAME_TO_TRACK = /StopLogging/; var matchingRecords = records .Records .filter(function(record) { return record.eventSource.match(EVENT_SOURCE_TO_TRACK) && record.eventName.match(EVENT_NAME_TO_TRACK); }); …
#RSAC Responding to events in Lambda ... if (matchingRecords.length >= 1) { console.log('StopLogging detected! Reverting...'); cloudtrail.startLogging(cloudtrailParams, function(err, data) { ...
#RSAC Responding to events in Lambda
#RSAC What you do in any IT Environment • Firewall rules • Network ACLs • Network time pointers • Internal and external subnets • NAT rules • Gold OS images • Encryption algorithms for data in transit and at rest http://docs.aws.amazon.com/quickstart/latest/accelerat or-nist/welcome.html Golden Code: Security Translation to AWS AWS JSON translation Gold Image, NTP and NAT Network ACLs, Subnets, FW rules
#RSAC Security As Code: Using AWS CodeDeploy Imaging instance memory: LiME - https://github.com/504ensicslabs/lime AWS CodeDeploy:
#RSAC Now What?
#RSAC “Apply” Slide 37 Make DevOps the security team’s job Harden your toolchain Plan your Security Epics Write your first Security User Story Sprint!

More Related Content

PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PDF
Take Control: Design a Complete DevSecOps Program
byDeborah Schalm
 
PDF
Secure Your Code Implement DevSecOps in Azure
bykloia
 
PDF
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
PDF
DevSecOps - The big picture
byDevSecOpsSg
 
PPTX
DevSecOps - CrikeyCon 2017
bykieranjacobsen
 
PPTX
Integrating Security into DevOps
byCloudPassage
 
PDF
DevSecOps: Minimizing Risk, Improving Security
byFranklin Mosley
 
Introduction to DevSecOps
byabhimanyubhogwan
 
Take Control: Design a Complete DevSecOps Program
byDeborah Schalm
 
Secure Your Code Implement DevSecOps in Azure
bykloia
 
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
DevSecOps - The big picture
byDevSecOpsSg
 
DevSecOps - CrikeyCon 2017
bykieranjacobsen
 
Integrating Security into DevOps
byCloudPassage
 
DevSecOps: Minimizing Risk, Improving Security
byFranklin Mosley
 

What's hot

PDF
Introduction to DevSecOps
bySetu Parimi
 
PPTX
DevSecOps : an Introduction
byPrashanth B. P.
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
PPTX
Cloud Application Security: Lessons Learned
byJason Chan
 
PPTX
DevSecOps OWASP
byPriyanka Raghavan
 
PDF
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
byDevSecCon
 
PDF
DevSecOps - The big picture
byStefan Streichsbier
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PDF
Careers in Security
byJason Chan
 
PPTX
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
bySeniorStoryteller
 
PPTX
Making Security Agile - Oleg Gryb
bySeniorStoryteller
 
PPTX
What it feels like to live in a Security Enabled DevOps World
byKarun Chennuri
 
PPTX
Stephen Sadowski - Securely automating infrastructure in the cloud
byDevSecCon
 
PPTX
AWS Security Strategy
by2nd Sight Lab
 
PDF
Integrating DevOps and Security
byStijn Muylle
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
PDF
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
Introduction to DevSecOps
bySetu Parimi
 
DevSecOps : an Introduction
byPrashanth B. P.
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
Cloud Application Security: Lessons Learned
byJason Chan
 
DevSecOps OWASP
byPriyanka Raghavan
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
byDevSecCon
 
DevSecOps - The big picture
byStefan Streichsbier
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
2019 DevSecOps Reference Architectures
bySonatype
 
Careers in Security
byJason Chan
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
bySeniorStoryteller
 
Making Security Agile - Oleg Gryb
bySeniorStoryteller
 
What it feels like to live in a Security Enabled DevOps World
byKarun Chennuri
 
Stephen Sadowski - Securely automating infrastructure in the cloud
byDevSecCon
 
AWS Security Strategy
by2nd Sight Lab
 
Integrating DevOps and Security
byStijn Muylle
 
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
DevSecOps - Building Rugged Software
bySeniorStoryteller
 

Viewers also liked

PPTX
DevOps & Security: Here & Now
byCheckmarx
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
byAchim D. Brucker
 
PPTX
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
PDF
Application Security Guide for Beginners
byCheckmarx
 
PDF
A Successful SAST Tool Implementation
byCheckmarx
 
PPTX
Graph Visualization - OWASP NYC Chapter
byCheckmarx
 
PDF
Devops security-An Insight into Secure-SDLC
bySuman Sourav
 
PPTX
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
PDF
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
byDevOpsDays Tel Aviv
 
PDF
Application Security Management with ThreadFix
byVirtual Forge
 
PDF
[ITAS.VN]CxSuite Enterprise Edition
byITAS VIETNAM
 
PDF
Happy New Year!
byCheckmarx
 
DevOps & Security: Here & Now
byCheckmarx
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
byAchim D. Brucker
 
Implementing an Application Security Pipeline in Jenkins
bySuman Sourav
 
Application Security Guide for Beginners
byCheckmarx
 
A Successful SAST Tool Implementation
byCheckmarx
 
Graph Visualization - OWASP NYC Chapter
byCheckmarx
 
Devops security-An Insight into Secure-SDLC
bySuman Sourav
 
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
byDevOpsDays Tel Aviv
 
Application Security Management with ThreadFix
byVirtual Forge
 
[ITAS.VN]CxSuite Enterprise Edition
byITAS VIETNAM
 
Happy New Year!
byCheckmarx
 

Similar to DevSecOps in Baby Steps

PDF
Agile Security—Field of Dreams
byPriyanka Aash
 
PPTX
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
PPTX
Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
byPrateek Mishra
 
PDF
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
byPriyanka Aash
 
PDF
Making Threat Intelligence Actionable Final
byPriyanka Aash
 
PPTX
Cybersecurity model and top cloud security controls for product development e...
byJames DeLuccia IV
 
PDF
How Security can be the Next Force Multiplier in DevOps
byAndrew Storms
 
PDF
Security Program Development for the Hipster Company
byPriyanka Aash
 
PDF
Security Program Development for the Hipster Company
byPriyanka Aash
 
PDF
Cloud security : Automate or die
byPriyanka Aash
 
PDF
Practical appsec lessons learned in the age of agile and DevOps
byPriyanka Aash
 
PDF
Building and Adopting a Cloud-Native Security Program
byPriyanka Aash
 
PDF
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
byPriyanka Aash
 
PDF
RSA 2015 Realities of Private Cloud Security
byScott Carlson
 
PDF
Hardening the cloud : Assuring agile security in high-growth environments
byPriyanka Aash
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
PDF
Secure Cloud Development Resources with DevOps
byCloudPassage
 
PDF
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
byPriyanka Aash
 
PPTX
API Security: Assume Possible Interference
byJulie Tsai
 
PDF
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
Agile Security—Field of Dreams
byPriyanka Aash
 
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
byPrateek Mishra
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
byPriyanka Aash
 
Making Threat Intelligence Actionable Final
byPriyanka Aash
 
Cybersecurity model and top cloud security controls for product development e...
byJames DeLuccia IV
 
How Security can be the Next Force Multiplier in DevOps
byAndrew Storms
 
Security Program Development for the Hipster Company
byPriyanka Aash
 
Security Program Development for the Hipster Company
byPriyanka Aash
 
Cloud security : Automate or die
byPriyanka Aash
 
Practical appsec lessons learned in the age of agile and DevOps
byPriyanka Aash
 
Building and Adopting a Cloud-Native Security Program
byPriyanka Aash
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
byPriyanka Aash
 
RSA 2015 Realities of Private Cloud Security
byScott Carlson
 
Hardening the cloud : Assuring agile security in high-growth environments
byPriyanka Aash
 
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
Secure Cloud Development Resources with DevOps
byCloudPassage
 
Humans and Data Don’t Mix: Best Practices to Secure Your Cloud
byPriyanka Aash
 
API Security: Assume Possible Interference
byJulie Tsai
 
Dos and Don'ts of DevSecOps
byPriyanka Aash
 

More from Priyanka Aash

PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 

Recently uploaded

PDF
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
PPTX
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
PDF
Smart Cloud Solutions-Smart,Secure & Scalable
byfloydjsmith02
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PDF
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
PPT
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
PDF
Introduction to Linux and Basic Commands
byiDev Semarang
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PPTX
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
Skills to Pass the UiPath Agentic Automation Associate (UiAAA) Certification
byUiPathCommunity
 
PPTX
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
PPTX
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PDF
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PDF
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
Smart Cloud Solutions-Smart,Secure & Scalable
byfloydjsmith02
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
Introduction to Linux and Basic Commands
byiDev Semarang
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
Skills to Pass the UiPath Agentic Automation Associate (UiAAA) Certification
byUiPathCommunity
 
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 

DevSecOps in Baby Steps

  • 1.
    SESSION ID: #RSAC Hart Rossman DevSecOpsin Baby Steps CSV-F03 Amazon Web Services Global Practice Manager- Security, Risk, and Compliance @HartDanger
  • 2.
    #RSAC The Journey: BabySteps to Parkour 2 Getting to DevOps DevOps to DevSecOps Planning your Epics & Sprints Use Cases & Examples
  • 3.
    #RSAC In The BeginningThere Was NoOps 3
  • 4.
    #RSAC Security program –Ownership as part of DNA • Promotes culture of “everyone is an owner” for security • Makes security stakeholder in business success • Enables easier and smoother communication Distributed Embedded
  • 5.
    #RSAC Responsibility & Accountability Ownit. Govern it. Not my monkeys; not my circus. Operating with Shared Responsibility How do I know? Do I carry a pager for this service? Do I make the rules? Should I be consulted or informed?
  • 6.
    #RSAC Security as code 1.Use the cloud to protect the cloud 2. Security infrastructure should be cloud aware 3. Expose security features as services via API 4. Automate everything so everything scales
  • 7.
    #RSAC Security as code:Innovation, stability, & security Business Development Operations Build it faster Keep it stable Security Protect it
  • 8.
    #RSAC Security as code:A shorter path to the customer Requirements Gathering Release Automated Build and Deploy Some learning Minimal learning Lots of learning
  • 9.
    #RSAC Security as code:Deploying more frequently lowers risk Smaller effort “Minimized risk” Frequent release events: “Agile methodology” Time Change Rare release events: “Waterfall methodology” Larger effort “Increased risk” Time Change
  • 10.
    #RSAC Version Control CI Server Package Builder Commit to Git/master Dev Get/ Pull Code Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Code Config Tests Push Config Repo Continuous Integration
  • 11.
    #RSAC Confidence that ourcode changes will build successfully Increasing velocity of feedback cycle through iterative change Bugs are detected quickly Automated testing reduces size of testing effort Very fast feedback on the things we can test immediately What does CI give us?
  • 12.
    #RSAC Continuous Delivery Version Control CI Server Package Builder Deploy ServerCommitto Git/master Dev Get / Pull Code AMIs Send Build Report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo CloudFormation Templates for Env Generate
  • 13.
    #RSAC Automated, repeatable processto push changes to production Hardens, de-risks the deployment process Allows detection of failure as quickly as possible in the build process Supports A/B testing or “We test customer reactions to features in production” Gives us a breadth of data points across our applications What does CD give us?
  • 14.
  • 15.
    #RSAC DevOps Continuous Delivery Technology change that enables culturechange DevOps Culture change that enables technology change
  • 16.
  • 17.
    #RSAC DevSecOps: Core Principles 1.Secure the toolchain 2. Armor up the workloads 3. Deploy your security infrastructure through the toolchain
  • 18.
    #RSAC DevOps DevSecOps Version Control CI Server Package Builder Deploy ServerCommitto repoDev Pull Code AMIs Send build report to dev and stop everything if build failed Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo AWS CloudFormation templates for Env Generate Security Repository Vulnerability and pen testing •Security Infrastructure tests •Security unit tests in app
  • 19.
    #RSAC CI/CD and automationfor security infrastructure Version Control Build/ compile code Dev Unit test app code IT Ops DR Env Test Env Prod Env Dev Env Application Write app code Infrastructure CloudFormation tar, war, zip yum, rpmDeploy app Package application Deploy application only Deploy infrastructure only AMI Build AMIs Validate templates Write infra code Deploy infras Automate deployment Artifact Repository
  • 20.
    #RSAC Building DevSecOps teams •Make DevOps the security team’s job. • No siloed/walled off DevOps teams. • Encourage {security} developers to participate openly in the automation of operations code. • Embolden {security} operations participation in testing and automation of application code. • Take pride in how fast and frequently you deploy.
  • 21.
    #RSAC Planetary Scale fromDay 1 Build Security Services Expose features as API Plan for Scale Know your Customers Utilize customer feedback to Iterate Internalize your Metrics, let them guide you
  • 22.
  • 23.
    #RSAC Security as code:Agile user stories 1. Epics vs. stories An epic is delivered over many sprints; a user story is delivered in one sprint or less. Icebox backlog  sprint 2. Product owner The product owner decides the priority of each story, is responsible for accepting the story, and is responsible for defining the detailed requirements and detailed acceptance criteria for the story.
  • 24.
    #RSAC Security as code:Agile user stories 3. Persona (or role) A persona/role is a fictitious user or actor within or of the system. 4. Acceptance criteria What does good look like? How will we know? 5. Summary format Every story should have the same summary format: As a (persona/role) I want (function) so that (benefit).
  • 25.
    #RSAC Security as code:Security Epics Shared Responsibility Model Identity and Access Control Logging and Monitoring Infrastructure Security Data Protection Incident Response & Forensics Configuration and Vulnerability Analysis Big Data and Predictive Analytics
  • 26.
    #RSAC Getting Started: IAM Story:As a IAM administrator I want to continually reduce the scope of access for humans even as our platform grows. Passwords and access keys that have not been used recently might be good candidates for removal. Sprint 1: Get credential reports and flag credentials not used in last 45 days. Other sprint ideas can be found at: http://docs.aws.amazon.com/IAM/latest/UserGuide/best- practices.html
  • 27.
    #RSAC Getting Started: Logging& Monitoring Story: As a security analyst I want to monitor interactions with AWS API so that we can baseline user behavior Sprint 1: Enable AWS CloudTrail globally Story: As a security operations team member I want to take action on AWS CloudWatch alarms so that we respond responsibly Sprint 2: Integrate alerting into security workflow & ticketing
  • 28.
  • 29.
    #RSAC Building a “LambdaResponder” AWS CloudTrail Amazon S3 Amazon SNS
  • 30.
    #RSAC Reading events inLambda exports.handler = function(event,context) { var snsMsgString = JSON.stringify(event.Records[0].Sns.Message); var snsMsgObject = getSNSMessageObject(snsMsgString); var srcBucket = snsMsgObject.Records[0].s3.bucket.name; var srcKey = snsMsgObject.Records[0].s3.object.key; ... function getSNSMessageObject(msgString) { var x = msgString.replace(//g,’’); var y = x.substring(1,x.length-1); var z = JSON.parse(y); return z; }
  • 31.
    #RSAC Detecting events inLambda … var EVENT_SOURCE_TO_TRACK = /cloudtrail.amazonaws.com/; var EVENT_NAME_TO_TRACK = /StopLogging/; var matchingRecords = records .Records .filter(function(record) { return record.eventSource.match(EVENT_SOURCE_TO_TRACK) && record.eventName.match(EVENT_NAME_TO_TRACK); }); …
  • 32.
    #RSAC Responding to eventsin Lambda ... if (matchingRecords.length >= 1) { console.log('StopLogging detected! Reverting...'); cloudtrail.startLogging(cloudtrailParams, function(err, data) { ...
  • 33.
  • 34.
    #RSAC What you doin any IT Environment • Firewall rules • Network ACLs • Network time pointers • Internal and external subnets • NAT rules • Gold OS images • Encryption algorithms for data in transit and at rest http://docs.aws.amazon.com/quickstart/latest/accelerat or-nist/welcome.html Golden Code: Security Translation to AWS AWS JSON translation Gold Image, NTP and NAT Network ACLs, Subnets, FW rules
  • 35.
    #RSAC Security As Code:Using AWS CodeDeploy Imaging instance memory: LiME - https://github.com/504ensicslabs/lime AWS CodeDeploy:
  • 36.
  • 37.
    #RSAC “Apply” Slide 37 Make DevOpsthe security team’s job Harden your toolchain Plan your Security Epics Write your first Security User Story Sprint!