DevSecOps integrates security practices into the DevOps process to enhance software quality and security. It emphasizes the importance of cross-functional teams and shared responsibilities, focusing on educating team members in adjacent areas such as security and asset management. Key practices include secure credential management, logging, source code analysis, and staying informed about the OWASP Top 10 vulnerabilities.

1. DevSecOps
What is DevSecOps?
What can one engineer do?
By Dmitry Batiievskyi

2. DevOps
 DevOps is a set of practices intended to reduce the time
between committing a change to a system and the
change being placed into normal production, while
ensuring high quality.
 DevOps team is a team implementing or aiming to
implement these practices.

3. Full stack
 Knowledge of programming language, framework or
service is not unique knowledge
 Strong knowledge is unique
 You cannot build mastery in anything if you don’t have
at least basic understanding of adjacent areas
 Network, testing, deployment, security

4. Team structure
Cross-functional teams and shared responsibility leads
to:
 Better quality
 Team members are being educated in adjacent areas
 People learn not to put extra load on each other

5. Building basement
 Architecture
 Setup rules and policies
 Setup common toolkit
 Setup processes
 People who care in each team

6. Being professional
Basics:
 Teach by example
 Don’t pass by
 Care about quality

7. Development cycle

8. Modern flow

9. Modern flow explained

10. Simple things
 Complex passwords and password managers
 MFA
 Keys, secrets and passwords in git repos
 Basic source code checks (SAST)
 Least privilege
 Security updates
 Credentials rotation
 Tools/technologies best practices

11. Software security needs

12. Zoning
 Make users comfortable
 Perimeter network security is not possible
 Network segmentation

13. Asset management
 Store secrets securely
 Log access to secrets
 Rotate secrets

14. Logging
 A corner stone to security compliance
 Log access
 Log changes
 Log fails

15. Next steps
 Security as a code
 SAST
 DAST
 IDS/IPS
 WAF
 Penetration testing

16. OWASP top 10

17. OWASP top 10

18. OWASP top 10

19. Tools

20. Resources
http://www.devsecops.org
http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
https://en.wikipedia.org/wiki/Software_asset_management
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
https://github.com/OWASP/Top10/tree/master/2017
https://docs.gitlab.com/ee/topics/autodevops/index.html
https://github.com/danielmiessler/SecLists/tree/master/Passwords
https://en.wikipedia.org/wiki/Software_asset_management
https://en.wikipedia.org/wiki/Web_application_firewall
https://github.com/aelsabbahy/goss
https://github.com/garytkainos/Gauntlt-Ubuntu
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

21. Thank you
Dmitry Batiievskyi
https://www.linkedin.com/in/dmitry-batiievskyi-aa17aa66/