QualiTest explains how a secured DevOps (DevSecOps) delivery process can be achieved using automated code scan, enabling significant shift left of issues detection and minimizing the time to fix. Whether you are considering DevSecOps, on the path, or already there, this slide is for you.
For more information, please visit www.QualiTestGroup.com
5. The Evolution of Software Delivery
Iterative/Waterfall
Large phases of work
Each phase completing
fully before starting the
next
Clearly defined entry and
exit criteria on each
phase
Analyse-Design-Build-
Test-Release-Maintain
Agile
Little and often
Small incremental
changes
Analysis, Build, Design,
Test, Release Teams work
together
Specific types of testing
(e.g. performance,
security, usability)
usually done
infrequently for
milestone releases
ContinuousDelivery/DevOps
Build on agile
Fully automate build,
functional test release
Any code change can go
all the way through to
production automatically
Liaise with operations to
define environments as
code and build
performance metrics
into automated pipeline
6. The importance of security
|2/3 of large UK businesses have been hit by a cyber attack in the last year
|70% of all attacks involve viruses, malware or spyware
|Most attacks are preventable
|The known monetary costs rank in the millions
The true costs are unknown, many businesses do not disclose full details
|What about the reputation damage?
TalkTalk, Ashley Madison, Sony PSN,Yahoo!, NHS – not just famous for their services any more
7. No man is an island
|Security is one of the last predominantly manual testing fields
Very few automated tools exist,
Hard to bake into pipeline
|Comparatively late-stage
|High defect fix costs and risk of late notice no-go
|Many developers and functional testers don’t have much grounding in security
|Security needs to integrate earlier in the lifecycle, current security practitioners
can enable this
8. What is an application really?
| Application DNA
Framework
Library
Custom
Code
Data
10. Security is Everyone’s Problem
|How big is your codebase?
• 75% of a modern application’s code is from
external sources
• A single team will struggle to police the
remaining 25% let alone everything
• We need to build a culture where security
and stability of an application is shared by all
stakeholders
• Everyone needs to collaborate to keep our
apps and users safe
• Security needs to shift-left and be present
throughout the pipeline
• <50,000 lines of code
iOS
App
• >4,000,000 lines of code
Photoshop
CS6
• >9,000,000 lines of codeFireFox:
• >44,000,000 lines of
code
Microsoft Office 2013:
• ~100,000,000
lines
Modern day car:
Source: http://www.informationisbeautiful.net/visualizations/million-lines-of-code/
13. DevOps is not a technology
It’s not a single process
It’s not about job titles
Annoyingly, I can’t sell you DevOps or even DevSecOps
It is beautifully simple though…
16. | The First Way – Systems Thinking
| Features
• Increasing left-to-right flow from Development to IT Operations to the customer
• Need for smaller batch sizes and intervals of work
• Never passing defects to downstream work centers
• Optimise for global (business) goals
| Practices
• Continuous build, integration and deployment
• Creating environments on demand
• Limiting work in process
• Building safe systems and organisations that are safe to change
The Three Ways
17. | The Second Way – Amplify Feedback Loops
| Features
• Constant flow of fast feedback from right-to-left at all stages
• Amplifying it to ensure that we can prevent problems from repeating or enable faster detection / recovery
• Enables creation of quality at the source, establishing or embedding knowledge where we need it
| Practices
“Stopping the production line” when builds and tests fail in the dev pipeline
• Constantly elevating the improvement of daily work over daily work
• Creating fast automated test suits – prove deployable code
• Pervasive Telemetry
The Three Ways
18. | The Third Way – Culture of Continual Experimentation & Learning
| Features
• Continual experimentation, risk taking and learning
• Repetitive practice is the pre-requisite to Mastery
| Practices
• Failure is welcomed, but rarely repeated
• Constant practice reinforces stability and safety
• High trust amongst team members
• Allocate >20% of cycles towards non-functional requirements – e.g. Security
• Improvements are celebrated
The Three Ways
19. Netflix - Fostering a Culture of
Safety & Resilience
| Features “Chaos Monkey” actually
makes bad things happen to force
the engineer to deal with real life
| “Security Monkey” is a tool for
monitoring and analyzing the security
posture of Amazon Web Services configurations
| Chaos Monkey
| Chaos Gorilla
| Chaos Kong
| Janitor Monkey
| Doctor Monkey
| Compliance Monkey
| Latency Monkey
| Security Monkey
21. Five Principles for
Integrating Security into DevOps
1 Automate Security In
2 Integrate to “Fail Quickly”
3 No false alarms
4 Build security champions
5 Keep operational visibility
22. Integration & Automation
CI
CD
1
Develop
4
Check in
Static
Analysis
3
Build
& Test
2
Backlog
Pass?
7
Synchronize
No Yes
7
Deploy to
QA/Stage
6
Static
Analysis
6
Unit
Tests
8
Dynamic
Analysis
8
Regression
Testing
Pass?
Yes
Stage
then
Prod
Per
Check-in
5
Build
CI/CD
Pipeline
26. Measurement (Scan Early, Scan Often)
Applications that used
sandbox had an
average fix rate of 59%,
or a 2x improvement in
fix rate
27.
28. Bridging The Gap
• Scan/test early & often
• Integrate & automate
• Take Training
• Request Remediation
Guidance
• Become a security
champion
Development Team Security
• Be involved in all phases
• Define & explain policy
• Provide targeted training
• Provide remediation
guidance
• Recruit & train
champions