SlideShare a Scribd company logo

DevSecOps: Security and Compliance at the Speed of Continuous Delivery

Download as PPTX, PDF
Dag Rowe
Dag Rowe

An experience report on building out DevSecOps at an Ottawa company.

Technology
1 of 26
DevSecOps Security and Compliance at the Speed of Continuous Delivery Agile Ottawa June 2018
Tehama • Delivers privileged technical services over the internet with – Transparency – Security – Auditability • Ensures trust while enabling quick onboarding and connectivity
Tehama and SOC2 • Decided early on that SOC2 was mandatory to build trust with clients – Demonstrates robust security practices via a trusted 3rd party
Compliance Basics • Say what you’re going to do • Do it • Prove that you did it – Easy =)
Compliance Basics • Say what you’re going to do – Done via Security Controls, plans, and processes • Do it – Hard • Prove that you did it – Evidence • Hardest ... if you haven’t planned for it
Control Example • A vulnerability management plan is maintained to identify potential threats. Threats are triaged and mitigated as required. Remediation plans are developed to address risks.
DevSecOps • DevOps used to deliver and run systems in a secure and reliable way • Bringing in Security and Compliance increases the focus on Ops – “You build it, you run it”
DevSecOps • Look at security and compliance as a – Release problem – Test problem – Monitoring and observability problem • Leverage security and compliance expertise in building out the system – This is the secret sauce
Tehama and DevSecOps • Security and compliance can’t be “the office of no” • Make it secure in order to demonstrate compliance – Keep it valuable – Don’t make it a checkbox exercise – E.g. continuous vuln mgmt is much better than a monthly review cycle
There is no Magic • It’s just mature DevOps – DevSecOps – DevOpsSec – Rugged DevOps • But it is a good phrase to search with
DevOps Patterns • Infrastructure as Code • Continuous Delivery • Continuous Monitoring • Learning from Failure • Collaborative Culture
Security Patterns Using DevOps to implement • Defense in depth • Access control • Principle of least privilege
Policy Designed for CI/CD Change Management • Standard Change – Pre-approved – Move most changes here – High success rate, low MTTR • High Risk Change – Classic security approval • Emergency Change – Post release approval – Don’t block an emergency change
Policy Requires Vulnerability Management Common categorization between tools • Tools find CVEs – Common Vulnerabilities and Exposures • Classified via Common Vulnerability Scoring System – CVSS • Includes remediation timelines (SLA)
Implementation Security is everyone’s job, all the time • Design it into the system, then it is just how the software is delivered • Audit evidence is generated during daily work – Not a scramble before an audit
Implementation Secure software supply chain • All images and OSs are from trusted repos – Hardened • All software dependencies are scanned • Patch management is a priority – Custom software dependencies – EC2 OS – Docker images – Open source applications
Implementation - SDLC The SDLC is based on a CI/CD pipeline Automatic • SAST – Static Application Security Testing • DAST – Dynamic Application Security Testing • SCA – Software Component Analysis • Container vulnerability analysis
Implementation - SDLC Manual • Prioritization and planning • Pull requests and code review – Code review guidelines call out security concerns with a standard checklist • PR approval, and release authorization
Implementation - Monitoring Vulnerability plan includes intrusion detection Requires monitoring and alerting to detect incidents • Alerting will launch Incident Response (IR) • Note, manual detection is still in scope – Strange system behaviour – Customer reports – AWS security – Law enforcement
Implementation - IR Vulnerability plan includes intrusion detection Requires monitoring and alerting to detect incidents • Alerting will launch Incident Response (IR) • Manual detection is still in scope – Noticing strange system behaviour – Customer reports – AWS security – Law enforcement
Implementation - IR and Logging DevOps includes a focus on monitoring and observability • This is adds big value • Enables robust Incident Response and troubleshooting capabilities
Where’s the Evidence? • Agile planning • Work ticket workflow – Pull requests • CI/CD scan logs – Remediation tickets • Release ticket workflow – Authorization • Production monitoring • Incident tickets • Chat Ops • Blameless post-mortems – Remediation tickets
Results • Last pen test had no findings • Security and compliance dev work is not exceptional • First audit (Type 1) passed without complications – Kudos from auditors • Second audit (Type 2) had no major out of band work for developers or compliance • Continuous improvement on logging and monitoring • IR and post-mortem process well established
References • DevOpsSec: Securing software through continuous delivery – https://www.safaribooksonline.com/library/view/devopssec/978149197 1413/ • DevOps Audit Defense Toolkit – https://itrevolution.com/devops-audit-defense-toolkit/ • The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations – Chapter 19 – Section VI – Appendix 9 – https://www.amazon.ca/DevOps-Handbook-World-Class-Reliability- Organizations/dp/1942788002
References • Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations – Chapter 6 – https://www.amazon.ca/Accelerate-Software-Performing-Technology- Organizations/dp/1942788339/ • Incident Management for Operations – https://www.amazon.ca/Incident-Management-Operations-Rob- Schnepp/dp/1491917628/ • Pagerduty Incident Response – https://response.pagerduty.com/ • Incident Response: Trade-offs Under Pressure – https://www.slideshare.net/InfoQ/incident-response-tradeoffs-under- pressure
References • Blameless PostMortems and a Just Culture – https://codeascraft.com/2012/05/22/blameless-postmortems/ • The infinite hows – https://www.oreilly.com/ideas/the-infinite-hows • Debriefing Facilitation Guide – https://extfiles.etsy.com/DebriefingFacilitationGuide.pdf • Was it technical failure or human error? – https://www.youtube.com/watch?v=Ygx2AI2RtkI • AWS Monitoring & Logging – https://www.slideshare.net/JasonPoley/aws-monitoring-logging • Container & Microservice Security – https://www.youtube.com/watch?v=8tDpGyVV8OQ

Recommended

Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
Digital Bond
 
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...
Akond Rahman
 
Splitting The Check On Compliance and Security
Splitting The Check On Compliance and SecuritySplitting The Check On Compliance and Security
Splitting The Check On Compliance and Security
New Relic
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
Jim Gilsinn
 
Key Findings from the 2019 State of DevOps Report
Key Findings from the 2019 State of DevOps ReportKey Findings from the 2019 State of DevOps Report
Key Findings from the 2019 State of DevOps Report
Puppet
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Digital Bond
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
Synopsys Software Integrity Group
 

Recommended

Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
Digital Bond
 
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...
Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Prac...
Akond Rahman
 
Splitting The Check On Compliance and Security
Splitting The Check On Compliance and SecuritySplitting The Check On Compliance and Security
Splitting The Check On Compliance and Security
New Relic
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
Jim Gilsinn
 
Key Findings from the 2019 State of DevOps Report
Key Findings from the 2019 State of DevOps ReportKey Findings from the 2019 State of DevOps Report
Key Findings from the 2019 State of DevOps Report
Puppet
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Digital Bond
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
Synopsys Software Integrity Group
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOps
Maytal Levi
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owaspHelen Bravo
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
Sam Bowne
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
Digital Bond
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integration
Irene Michlin
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
Practical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsPractical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related Systems
AdaCore
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
Mahaut Gouhier
 
Agile methods and safety critical software - Peter Gardner
Agile methods and safety critical software - Peter GardnerAgile methods and safety critical software - Peter Gardner
Agile methods and safety critical software - Peter Gardner
AdaCore
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
EnergySec
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
Digital Bond
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
North Texas Chapter of the ISSA
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
ICS Performance Lab
ICS Performance LabICS Performance Lab
ICS Performance Lab
Jim Gilsinn
 
Girish Dambal Ver 1.1
Girish Dambal Ver 1.1Girish Dambal Ver 1.1
Girish Dambal Ver 1.1Girish. Dambal
 
Challenges of Agile Qualification
Challenges of Agile QualificationChallenges of Agile Qualification
Challenges of Agile QualificationAdaCore
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
Dag Rowe
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Venkat Janardhanam, MS, MBA
 

More Related Content

What's hot

Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOps
Maytal Levi
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owaspHelen Bravo
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
Sam Bowne
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
Digital Bond
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integration
Irene Michlin
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
Practical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsPractical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related Systems
AdaCore
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
Mahaut Gouhier
 
Agile methods and safety critical software - Peter Gardner
Agile methods and safety critical software - Peter GardnerAgile methods and safety critical software - Peter Gardner
Agile methods and safety critical software - Peter Gardner
AdaCore
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
EnergySec
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
Digital Bond
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
North Texas Chapter of the ISSA
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
ICS Performance Lab
ICS Performance LabICS Performance Lab
ICS Performance Lab
Jim Gilsinn
 
Challenges of Agile Qualification
Challenges of Agile QualificationChallenges of Agile Qualification
Challenges of Agile QualificationAdaCore
 

What's hot (20)

Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOps
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integration
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
Practical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsPractical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related Systems
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
Agile methods and safety critical software - Peter Gardner
Agile methods and safety critical software - Peter GardnerAgile methods and safety critical software - Peter Gardner
Agile methods and safety critical software - Peter Gardner
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...What to Do When You Don’t Know What to Do: Control System Patching Problems a...
What to Do When You Don’t Know What to Do: Control System Patching Problems a...
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
NTXISSACSC3 - Beyond ISO 27034 - Intel's Product Security Maturity Model (PSM...
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
ICS Performance Lab
ICS Performance LabICS Performance Lab
ICS Performance Lab
 
Girish Dambal Ver 1.1
Girish Dambal Ver 1.1Girish Dambal Ver 1.1
Girish Dambal Ver 1.1
 
Challenges of Agile Qualification
Challenges of Agile QualificationChallenges of Agile Qualification
Challenges of Agile Qualification
 

Similar to DevSecOps: Security and Compliance at the Speed of Continuous Delivery

Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
Dag Rowe
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Efforts in Scaling Application Security Programs
Efforts in Scaling Application Security ProgramsEfforts in Scaling Application Security Programs
Efforts in Scaling Application Security Programs
Eric Fay
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
Qualitest
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
Amazon Web Services
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Simon Storm
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Tripwire
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
DrBasemMohamedElomda
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Devops as a service
Devops as a serviceDevops as a service
Devops as a service
Saravanan Subburayal
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
kunwaratul hax0r
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 

Similar to DevSecOps: Security and Compliance at the Speed of Continuous Delivery (20)

Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
 
Journey to the center of DevOps - v6
Journey to the center of DevOps - v6Journey to the center of DevOps - v6
Journey to the center of DevOps - v6
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Efforts in Scaling Application Security Programs
Efforts in Scaling Application Security ProgramsEfforts in Scaling Application Security Programs
Efforts in Scaling Application Security Programs
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Devops as a service
Devops as a serviceDevops as a service
Devops as a service
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 

Recently uploaded

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 

Recently uploaded (20)

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 

DevSecOps: Security and Compliance at the Speed of Continuous Delivery

  • 1. DevSecOps Security and Compliance at the Speed of Continuous Delivery Agile Ottawa June 2018
  • 2. Tehama • Delivers privileged technical services over the internet with – Transparency – Security – Auditability • Ensures trust while enabling quick onboarding and connectivity
  • 3. Tehama and SOC2 • Decided early on that SOC2 was mandatory to build trust with clients – Demonstrates robust security practices via a trusted 3rd party
  • 4. Compliance Basics • Say what you’re going to do • Do it • Prove that you did it – Easy =)
  • 5. Compliance Basics • Say what you’re going to do – Done via Security Controls, plans, and processes • Do it – Hard • Prove that you did it – Evidence • Hardest ... if you haven’t planned for it
  • 6. Control Example • A vulnerability management plan is maintained to identify potential threats. Threats are triaged and mitigated as required. Remediation plans are developed to address risks.
  • 7. DevSecOps • DevOps used to deliver and run systems in a secure and reliable way • Bringing in Security and Compliance increases the focus on Ops – “You build it, you run it”
  • 8. DevSecOps • Look at security and compliance as a – Release problem – Test problem – Monitoring and observability problem • Leverage security and compliance expertise in building out the system – This is the secret sauce
  • 9. Tehama and DevSecOps • Security and compliance can’t be “the office of no” • Make it secure in order to demonstrate compliance – Keep it valuable – Don’t make it a checkbox exercise – E.g. continuous vuln mgmt is much better than a monthly review cycle
  • 10. There is no Magic • It’s just mature DevOps – DevSecOps – DevOpsSec – Rugged DevOps • But it is a good phrase to search with
  • 11. DevOps Patterns • Infrastructure as Code • Continuous Delivery • Continuous Monitoring • Learning from Failure • Collaborative Culture
  • 12. Security Patterns Using DevOps to implement • Defense in depth • Access control • Principle of least privilege
  • 13. Policy Designed for CI/CD Change Management • Standard Change – Pre-approved – Move most changes here – High success rate, low MTTR • High Risk Change – Classic security approval • Emergency Change – Post release approval – Don’t block an emergency change
  • 14. Policy Requires Vulnerability Management Common categorization between tools • Tools find CVEs – Common Vulnerabilities and Exposures • Classified via Common Vulnerability Scoring System – CVSS • Includes remediation timelines (SLA)
  • 15. Implementation Security is everyone’s job, all the time • Design it into the system, then it is just how the software is delivered • Audit evidence is generated during daily work – Not a scramble before an audit
  • 16. Implementation Secure software supply chain • All images and OSs are from trusted repos – Hardened • All software dependencies are scanned • Patch management is a priority – Custom software dependencies – EC2 OS – Docker images – Open source applications
  • 17. Implementation - SDLC The SDLC is based on a CI/CD pipeline Automatic • SAST – Static Application Security Testing • DAST – Dynamic Application Security Testing • SCA – Software Component Analysis • Container vulnerability analysis
  • 18. Implementation - SDLC Manual • Prioritization and planning • Pull requests and code review – Code review guidelines call out security concerns with a standard checklist • PR approval, and release authorization
  • 19. Implementation - Monitoring Vulnerability plan includes intrusion detection Requires monitoring and alerting to detect incidents • Alerting will launch Incident Response (IR) • Note, manual detection is still in scope – Strange system behaviour – Customer reports – AWS security – Law enforcement
  • 20. Implementation - IR Vulnerability plan includes intrusion detection Requires monitoring and alerting to detect incidents • Alerting will launch Incident Response (IR) • Manual detection is still in scope – Noticing strange system behaviour – Customer reports – AWS security – Law enforcement
  • 21. Implementation - IR and Logging DevOps includes a focus on monitoring and observability • This is adds big value • Enables robust Incident Response and troubleshooting capabilities
  • 22. Where’s the Evidence? • Agile planning • Work ticket workflow – Pull requests • CI/CD scan logs – Remediation tickets • Release ticket workflow – Authorization • Production monitoring • Incident tickets • Chat Ops • Blameless post-mortems – Remediation tickets
  • 23. Results • Last pen test had no findings • Security and compliance dev work is not exceptional • First audit (Type 1) passed without complications – Kudos from auditors • Second audit (Type 2) had no major out of band work for developers or compliance • Continuous improvement on logging and monitoring • IR and post-mortem process well established
  • 24. References • DevOpsSec: Securing software through continuous delivery – https://www.safaribooksonline.com/library/view/devopssec/978149197 1413/ • DevOps Audit Defense Toolkit – https://itrevolution.com/devops-audit-defense-toolkit/ • The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations – Chapter 19 – Section VI – Appendix 9 – https://www.amazon.ca/DevOps-Handbook-World-Class-Reliability- Organizations/dp/1942788002
  • 25. References • Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations – Chapter 6 – https://www.amazon.ca/Accelerate-Software-Performing-Technology- Organizations/dp/1942788339/ • Incident Management for Operations – https://www.amazon.ca/Incident-Management-Operations-Rob- Schnepp/dp/1491917628/ • Pagerduty Incident Response – https://response.pagerduty.com/ • Incident Response: Trade-offs Under Pressure – https://www.slideshare.net/InfoQ/incident-response-tradeoffs-under- pressure
  • 26. References • Blameless PostMortems and a Just Culture – https://codeascraft.com/2012/05/22/blameless-postmortems/ • The infinite hows – https://www.oreilly.com/ideas/the-infinite-hows • Debriefing Facilitation Guide – https://extfiles.etsy.com/DebriefingFacilitationGuide.pdf • Was it technical failure or human error? – https://www.youtube.com/watch?v=Ygx2AI2RtkI • AWS Monitoring & Logging – https://www.slideshare.net/JasonPoley/aws-monitoring-logging • Container & Microservice Security – https://www.youtube.com/watch?v=8tDpGyVV8OQ