This document discusses DevSecOps and covers the good, bad, and ugly aspects. DevSecOps aims to integrate security practices into the development lifecycle like threat modeling, security testing, and monitoring. The good aspects include finding vulnerabilities early through testing and reviewable infrastructure policies. The bad parts are potential performance issues and loss of availability from tools. The ugly challenges are misunderstandings causing disasters, unstable new tools causing false alarms, and responsibility over security. Overall, DevSecOps is about people, process, and integrating security throughout the development lifecycle rather than just tools.

1. DevSecOps
The Good, Bad, and Ugly
DevOps TW Meetup #28

2. 4ndersonLin
Whois
I am Anderson Lin
MaiCoin Cyber Security Engineer
AWS Certified All-5 + Sec specialty

3. Agenda
➔ Security and DevOps
➔ The Good
➔ The Bad
➔ The Ugly

4. Security and DevOps

6. Reality
Maybe we still need some security:
- Business about money and sensitive data
- Company policy
- Local law and regulation issue

8. Some interesting data: The trend

9. DevSecOps
The Overview

10. Life cycle of DevSecOps
Build ReleaseTest
Plan Monitor
Threat modeling
SAST
Code review
Common test
DAST
Configuration validation
Logging
Telemetry
Detect & response attack
Update threat model
Analysis incident

11. DevOps periodic table
Ref: https://digital.ai/periodic-table-of-devops-tools

12. Different Viewpoints
DevSecOps:
- Dev
- Sec
- Ops

13. Developer viewpoint
DevSecOps:
- Application static/dynamic testing in CI/CD
- Secure by design

14. Security viewpoint
DevSecOps:
- Policy as code
- Vulnerability, Patch
- Response

15. Ops viewpoint
DevSecOps:
- Reviewable infrastructure (Infra as code)
- Monitoring more items

16. Recap
- The life cycle
- From different viewpoint
- Dev
- Sec
- Ops
- Boss--
Ref: https://eiki.hatenablog.jp/entry/meteo_fall

17. DevSecOps
The GOOD

18. The GOOD: low hanging fruit
Secure by design
Left shift of testing
- Found and fix the vulnerability early
Reviewable infrastructure and policy
- IaC
- Pac
Monitoring makes response faster

19. DevSecOps
The BAD

20. The BAD: Sometimes we can solve it
Performance issue
Loss availability
Tools are good but people
- Threat modeling still need dev team’s help
- Trust issue: when the red team coming
Vulnerability of sec tools
- Exploiting image scanners by matuzg
Overdesign
Ref:
https://medium.com/@matuzg/testing-docker
-cve-scanners-part-2-5-exploiting-cve-scan
ners-b37766f73005

21. DevSecOps
The UGLY

22. The UGLY: The Hardest part
Misunderstanding or Misconfiguration = Disaster
- “... ***-WAF-Role...” ~= 80M USD
New tools not stable…
- Falco:
More false positive alarm...
Security is always lagging...
Who will take the responsibility?
Ref: https://github.com/falcosecurity/falco/issues/1403

23. Summary

24. Summary
DevSecOps
- The Good
- The Bad
- The Ugly
More than tool, process… the key is people and culture

26. Take away
Conference
- Blackhat
- Defcon
- DevSecCon
- DevSecOps days
- RSA
DevSecOps youtube channel
- https://www.youtube.com/channel/UCmzqpR98J4KtLj4K7RRRwEw
Tools collection
- https://github.com/devsecops/awesome-devsecops
- https://github.com/4ndersonLin/awesome-cloud-security It’s me! Please contribute!

27. We are Hiring
https://github.com/MaiAmis/Careers

28. Thanks!
Any questions?
You can find me at
4nderson.lin@pm.me