DevSecOps What Why and How

•

3 likes•681 views

This document discusses DevSecOps, including what it is, why it is needed, and how to implement it. DevSecOps aims to integrate security into development tools and processes to promote a "secure by default" culture. It is needed because traditional security approaches cannot keep up with the rapid pace of DevOps. Implementing DevSecOps involves automating security checks and tests into the development pipeline and promoting collaboration between development, security, and operations teams. The document provides examples of tools that can be used and case studies of DevSecOps implementations.

Technology

DevSecOps: What, Why and How
Anant Shrivastava, NotSoSecure (Claranet Cyber Security)

Agenda
● What is DevSecOps?
● Why do we need DevSecOps?
● How do we do DevSecOps?
● Integrate Security in Pipeline
● Tools of Trade
● Sample Implementation
● Case Studies

Disclaimer
● I will be listing a lot of tools, It’s not an exhaustive list
● I don't endorse or recommend any specific tool / vendor
● Every environment is different: Test and validate before
implementing any ideas

What is DevSecOps?
Effort to strive for “Secure by Default”
● Integrate Security in tools
● Create Security as Code culture
● Promote cross skilling

Why do we need DevSecOps?
● DevOps moves at rapid pace, traditional security just can’t
keep up
● Security as part of process is the only way to ensure safety

Shifting Left saves cost & time
Developer /QA Penetration
Testing

Shifting Left saves cost & time
1 SQL Injection
Fewer Man Day Effort
No New Deployments
Automated Source
Code Review
Developer /QA Penetration
Testing

How do we do DevSecOps?
● DevSecOps is Automation + Cultural Changes
● Integrate security into your DevOps Pipeline
● Enable cultural changes to embrace DevSecOps

To be or not to be in Pipeline
● API / command line access
● Execution start to final output should be 15 minutes max
● Containerized / scriptable
● Minimal licensing limitations (parallel scans or threads)
● Output format parsable / machine readable (no stdout, yes
to json /xml)
● Configurable to counter false negatives / false positives

What about Cloud
•The Threat Landscape changes
- Identity and Access Management
- Billing Attacks
• Infrastructure as Code allows quick audit / linting
• Focus more on:
- Security groups
- Permissions to resources
- Rouge /shadow admins
- Forgotten resources (compromises / billing)

Cultural Aspect
● Automation alone will not solve the problems
● Focus on collaboration and inclusive culture
● Encourage security mindset specially if it's outside sec team
● Build allies (security champions) in company
● Avoid Blame Game

● Bridge between Dev, Sec and Ops teams
● Build Security Champions
● Single Person per team
● Everyone provided with similar cross skilling opportunities
● Incentivize other teams to collaborate with Sec team
● Internal Bug bounties
● Sponsor Interactions (Parties / get-togethers)
● Sponsor cross skilling trainings for other teams
Security Champion

Case Study: Last one I promise
Prevention: Patching and Continuous monitoring of Assets

Is it Enough?
● Rite of passage by periodic pen test and continuous bug bounty
● It's not just important to get feedback but to also action on them
● Risk Acceptance Documentation should be the worst case scenario
not your first bet

References
•https://www.blackhat.com/docs/us-17/thursday/us-17-Lackey-Practical%20Tips-for-Defendin
g-Web-Applications-in-the-Age-of-DevOps.pdf
•https://www.sonatype.com/hubfs/2018%20State%20of%20the%20Software%20Supply%20
Chain%20Report.pdf
•https://snyk.io/opensourcesecurity-2019/
•https://www.veracode.com/state-of-software-security-report

Key Takeaways
● Security is everyone responsibility
● Embrace security as an integral part of the process, use feedback to
refine the process
● DevSecOps is not a one size fit all: your mileage will vary

What's hot

The State of DevSecOps

DevOps Indonesia

DevSecOps : an Introduction

Prashanth B. P.

Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.

Introduction to DevSecOps

Amazon Web Services

An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future. Agenda: -DevSecOps Introduction -Key Challenges, Recommendations -DevSecOps Analysis -DevSecOps Core Practices -DevSecOps pipeline for Application & Infrastructure Security -DevSecOps Security Tools Selection Tips -DevSecOps Implementation Strategy -DevSecOps Final Checklist

Introduction to DevSecOps

Setu Parimi

In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities. Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey. He will cover DevSecOps challenges he has faced and how he converted them into opportunities. He will cover the following as part of the session. DevSecOps Challenges. DevSecOps Opportunities. Converting Challenges into Opportunities. Quick wins and lessons learned. … and more useful takeaways!

[DevSecOps Live] DevSecOps: Challenges and Opportunities

Mohammed A. Imran

DevOps to DevSecOps Journey..

Siddharth Joshi

2019 DevSecOps Reference Architectures

Sonatype

DevSecOps

Joel Divekar

DevSecOps Basics with Azure Pipelines

Abdul_Mujeeb

Link to Youtube video: https://youtu.be/-awH_CC4DLo You can contact me at abhimanyu.bhogwan@gmail.com My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/ Basic Introduction to DevSecOps concept Why What and How for DevSecOps Basic intro for Threat Modeling Basic Intro for Security Champions 3 pillars of DevSecOps 6 important components of a DevSecOps approach DevSecOps Security Best Practices How to integrate security in CI/CD pipeline

Introduction to DevSecOps

abhimanyubhogwan

DEVSECOPS.pptx

MohammadSaif904342

DEVSECOPS: Coding DevSecOps journey

Jason Suttie

Security will always be our top priority. Agile deployment methods require a set of dynamic built-in security controls that keep pace with innovation and scale. In this session we will utilise the power of automation with the AWS platform to increase the agility of developers while maintaining a strong security posture. Speaker: David Faulkner, Senior Technical Account Manager, Amazon Web Services

Implementing DevSecOps

Amazon Web Services

DevSecOps: Taking a DevOps Approach to Security

Alert Logic

ABN AMRO DevSecOps Journey

Derek E. Weeks

DevSecOps Singapore introduction

Stefan Streichsbier

DevSecOps means considering application and infrastructure security from the beginning. This also means automating some security doors to prevent the DevOps workflow from slowing down. The goal of DevSecOps (development, security, and operations) is to make everyone responsible for security, with the main target on implementing security decisions and actions at an equivalent scale and speed as development and operations decisions and actions. Implementing DevSecOps are often an elaborate process for a corporation , but well worthwhile when considering the advantages . Implementation usually includes the subsequent stages: Planning and development Building and testing Deployment and operation Monitoring and scaling Tonex's DevSecOps Training Bootcamp DevSecOps training Bootcamp is a practical DevSecOps course, participants can acquire in-depth knowledge and skills to apply, implement and improve IT security in modern DevOps. Participants understand DevOps and DevSecOps to take full advantage of the agility and responsiveness of the secure DevOps method, IT security on SDLC, and the entire life cycle of the application. DevSecOps Training Bootcamp focuses on: Concepts Principles Processes Policies Guidelines Mitigation Applied Risk Management Framework (RMF) Technical Skills Audience: Security Staff IT Leadership IT Infrastructure CIOs / CTOs /CSO Configuration Managers Developers and Application Team Members and Leads IT Operations Staff IT Project & Program Managers Product Owners and Managers Release Engineers Agile Staff and ScrumMasters Software Developers Software Team Leads System Admin Training Objectives: Identify and explain the phases of the DevOps life cycle Define the roles and responsibilities that support the DevOps environment Describe the security components of DevOps and determine its risk principles Analyze, evaluate and automate DevOps application security across SDLC Identify and explain the characteristics required to meet the definition of DevOps computing security Discuss strategies for maintaining DevOps methods Perform gap analysis between DevOps security benchmarks and industry standard best practices Evaluate and implement the safety controls necessary to make sure confidentiality, integrity and availability (CIA) in DevOps environments Perform risk assessments of existing and proposed DevOps environments Integrate RMF with DevOps Explain the role of encryption in protecting data and specific strategies for key management And more. Course Content: DevOps vs. DevSecOps DevOps Security Requirements DevOps Typical Security Activities Tools for Securing DevOps Principles Behind DevSecOps DevSecOps and Application Security How to DevSecOps DevSecOps Maturity RMF, DevOps and DevSecOps For More Information: https://www.tonex.com/training-courses/devsecops-training-bootcamp/

DevSecOps Training Bootcamp - A Practical DevSecOps Course

Tonex

Slide DevSecOps Microservices

Hendri Karisma

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...

Mohamed Nizzad

DevSecOps | DevOps Sec

Rubal Jain

What's hot (20)

The State of DevSecOps

DevSecOps : an Introduction

Introduction to DevSecOps

[DevSecOps Live] DevSecOps: Challenges and Opportunities

DevOps to DevSecOps Journey..

2019 DevSecOps Reference Architectures

DevSecOps

DevSecOps Basics with Azure Pipelines

Introduction to DevSecOps

DEVSECOPS.pptx

DEVSECOPS: Coding DevSecOps journey

Implementing DevSecOps

DevSecOps: Taking a DevOps Approach to Security

ABN AMRO DevSecOps Journey

DevSecOps Singapore introduction

DevSecOps Training Bootcamp - A Practical DevSecOps Course

Slide DevSecOps Microservices

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...

DevSecOps | DevOps Sec

Similar to DevSecOps What Why and How

Year Zero

leifdreizler

In the fusion between DevOps and DevSecOps, the pace and agility of the DevSecOps approach made AppSec and InfoSec were a little left behind. The DevOps squad topology does not involve any of the organization's AppSec and InfoSec Engineer. Many DevOps team are also not included them since they lack the information on how to manage and configure DevOps CI / CD pipelines and DevSecOps approaches. There's no shortage of talent — you probably don't have a mission worth getting out of bed or a culture that fosters continuous learning such DevSecOps skill and tools and growth where people feel psychologically safe. Besides, there is no shortage of skills — most have a poor understanding of what they need to be successful or the skills that need to leverage to improve their security posture.

Why Security Engineer Need Shift-Left to DevSecOps?

Najib Radzuan

A journey into Application Security

Christian Martorella

Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go? Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why. She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies. Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.

Security engineering 101 when good design & security work together

Wendy Knox Everette

If you thought it was difficult bringing the Ops and Dev teams to the same table, let’s talk about security! Often housed in a separate team, security experts have no incentive to ship software, with a mission solely to minimise risk. This talk is a detailed case study of bringing security into DevOps. We’ll look at the challenges and tactics, from the suboptimal starting point of a highly regulated system with a history of negative media attention. It follows an Agile-aspiring Government IT team from the time when a deployable product was "finished" to when the application was first deployed many months later. This talk is about humans and systems - in particular how groups often need to flex beyond the bounds of what either side considers reasonable, in order to get a job done. We’ll talk about structural challenges, human challenges, and ultimately how we managed to break through them. There are no villains - everybody in this story is a hero, working relentlessly through obstacles of structure, time, law, and history. Come hear what finally made the difference, filling in the missing middle of DevSecOps.

DevSecOps at Agile 2019

Elizabeth Ayer

Real world dev ops

Mohan Krishnan

The Unlikely Couple, DevOps and Security. Can it work?

Todd Benson (I.T. SPECIALIST and I.T. SECURITY)

"Running enterprise workloads with sensitive data in AWS is hard and requires an in-depth understanding about software-defined security risks. At re:Invent 2014, Intuit and AWS presented ""Enterprise Cloud Security via DevSecOps"" to help the community understand how to embrace AWS features and a software-defined security model. Since then, we've learned quite a bit more about running sensitive workloads in AWS. We've evaluated new security features, worked with vendors, and generally explored how to develop security-as-code skills. Come join Intuit and AWS to learn about second-year lessons and see how DevSecOps is evolving. We've built skills in security engineering, compliance operations, security science, and security operations to secure AWS-hosted applications. We will share stories and insights about DevSecOps experiments, and show you how to crawl, walk, and then run into the world of DevSecOps."

(SEC402) Enterprise Cloud Security via DevSecOps 2.0

Amazon Web Services

In this case-study talk, we will share Brent’s journey through the adoption of modern observability practices as he operated an architecture of distributed services. Facing difficulties using application logs as the primary tool to debug performance and reliability issues? Learn how to improve your company toolkit and engineering habits using existing monitoring tools with the addition of distributed tracing. https://confoo.ca/en/yul2020/session/from-grief-to-growth-the-7-stages-of-observability

[Confoo Montreal 2020] From Grief to Growth: The 7 Stages of Observability - ...

Ambassador Labs

Agile Software and DevOps Essentials

Narayanan Subramaniam

Building Security Teams

Astera Esther Schneeweisz

DevSecOps: Integrating Security Into Your SDLC

Dev Software

DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats. In this session, we’ll look at successful practices that distributed and diverse teams use to iterate rapidly. We’ll discuss how a container platform can serve as the foundation for DevSecOps in your organization. We'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, we'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.

DevSecOps: The Open Source Way

Black Duck by Synopsys

How To Implement DevSecOps In Your Existing DevOps Workflow

Enov8

CISSP Week 12

jemtallon

Software Security Initiative Capabilities: Where Do I Begin?

Cigital

_Best practices towards a well-polished DevSecOps environment (1).pdf

Enov8

SDLC & DevSecOps

Irina Kostina

Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)

Purple Teaming - The Collaborative Future of Penetration Testing

FRSecure

Deepfence.pdf

Vishwas N

Similar to DevSecOps What Why and How (20)

Year Zero

Why Security Engineer Need Shift-Left to DevSecOps?

A journey into Application Security

Security engineering 101 when good design & security work together

DevSecOps at Agile 2019

Real world dev ops

The Unlikely Couple, DevOps and Security. Can it work?

(SEC402) Enterprise Cloud Security via DevSecOps 2.0

[Confoo Montreal 2020] From Grief to Growth: The 7 Stages of Observability - ...

Agile Software and DevOps Essentials

Building Security Teams

DevSecOps: Integrating Security Into Your SDLC

DevSecOps: The Open Source Way

How To Implement DevSecOps In Your Existing DevOps Workflow

CISSP Week 12

Software Security Initiative Capabilities: Where Do I Begin?

_Best practices towards a well-polished DevSecOps environment (1).pdf

SDLC & DevSecOps

Purple Teaming - The Collaborative Future of Penetration Testing

Deepfence.pdf

Recently uploaded

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

How world-class product teams are winning in the AI era by CEO and Founder, P...

Product School

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Product School

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

JMeter webinar - integration with InfluxDB and Grafana

RTTS

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

Intrigued by why some of the world's largest companies (Netflix, Google, Cisco, Twitter, Uber etc) are using gRPC? In this demo based talk we delve into the world of gRPC in .Net, what it does and why we should use it. We compare the interface with both Rest and graphQL. We will show you how to implement grpc server-side in .net and in the web. Finally, I will show you how the tooling helps you deliver powerful interfaces and interact with them quickly and simply.

Demystifying gRPC in .Net by John Staveley

John Staveley

As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other? Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Tobias Schneck

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

The Future of Platform Engineering

Jemma Hussein Allen

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

Welcome to UiPath Test Automation using UiPath Test Suite series part 2. In this session, we will cover API test automation along with a web automation demo. Topics covered: Test Automation introduction API Example of API automation Web automation demonstration Speaker Pathrudu Chintakayala, Associate Technical Architect @Yash and UiPath MVP Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

UiPath Test Automation using UiPath Test Suite series, part 2

DianaGray10

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to: Create a campaign using Mailchimp with merge tags/fields Send an interactive Slack channel message (using buttons) Have the message received by managers and peers along with a test email for review But there’s more: In a second workflow supporting the same use case, you’ll see: Your campaign sent to target colleagues for approval If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team But—if the “Reject” button is pushed, colleagues will be alerted via Slack message Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors. And... Speakers: Akshay Agnihotri, Product Manager Charlie Greenberg, Host

Connector Corner: Automate dynamic content and events by pushing a button

DianaGray10

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»

QADay

In this session, we will showcase how to revolutionize automated testing for your software, automation, and QA teams with UiPath Test Suite. In part 1 of UiPath test automation using UiPath Test Suite – developer series, we will cover, Software testing overview What is software testing Why software testing is required Typical test types and levels Continuous testing and challenges Introduction to UiPath Test Suite UiPath Test Suite family of products Speaker: Atul Trikha, Chief Technologist & Solutions Architect, Peraton and UiPath MVP Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

UiPath Test Automation using UiPath Test Suite series, part 1

DianaGray10

Speed Wins: From Kafka to APIs in Minutes

confluent

Recently uploaded (20)

Essentials of Automations: Optimizing FME Workflows with Parameters

How world-class product teams are winning in the AI era by CEO and Founder, P...

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPath Test Automation using UiPath Test Suite series, part 3

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

JMeter webinar - integration with InfluxDB and Grafana

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Demystifying gRPC in .Net by John Staveley

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

ODC, Data Fabric and Architecture User Group

The Future of Platform Engineering

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

UiPath Test Automation using UiPath Test Suite series, part 2

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Connector Corner: Automate dynamic content and events by pushing a button

FIDO Alliance Osaka Seminar: Overview.pdf

НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»

UiPath Test Automation using UiPath Test Suite series, part 1

Speed Wins: From Kafka to APIs in Minutes

DevSecOps What Why and How

1. DevSecOps: What, Why and How Anant Shrivastava, NotSoSecure (Claranet Cyber Security)

2. About: Anant Shrivastava

3. Agenda ● What is DevSecOps? ● Why do we need DevSecOps? ● How do we do DevSecOps? ● Integrate Security in Pipeline ● Tools of Trade ● Sample Implementation ● Case Studies

4. Disclaimer ● I will be listing a lot of tools, It’s not an exhaustive list ● I don't endorse or recommend any specific tool / vendor ● Every environment is different: Test and validate before implementing any ideas

5. What is DevSecOps? Effort to strive for “Secure by Default” ● Integrate Security in tools ● Create Security as Code culture ● Promote cross skilling

6. Why do we need DevSecOps? ● DevOps moves at rapid pace, traditional security just can’t keep up ● Security as part of process is the only way to ensure safety

7. Shifting Left saves cost & time Developer /QA Penetration Testing

8. Shifting Left saves cost & time 1 SQL Injection Fewer Man Day Effort No New Deployments Automated Source Code Review Developer /QA Penetration Testing

9. How do we do DevSecOps? ● DevSecOps is Automation + Cultural Changes ● Integrate security into your DevOps Pipeline ● Enable cultural changes to embrace DevSecOps

10. Injecting Sec in DevOps

11. Sample Implementation

12. Tools of the trade

13. Tools of the trade

14. To be or not to be in Pipeline ● API / command line access ● Execution start to final output should be 15 minutes max ● Containerized / scriptable ● Minimal licensing limitations (parallel scans or threads) ● Output format parsable / machine readable (no stdout, yes to json /xml) ● Configurable to counter false negatives / false positives

15. What about Cloud •The Threat Landscape changes - Identity and Access Management - Billing Attacks • Infrastructure as Code allows quick audit / linting • Focus more on: - Security groups - Permissions to resources - Rouge /shadow admins - Forgotten resources (compromises / billing)

16. Cultural Aspect ● Automation alone will not solve the problems ● Focus on collaboration and inclusive culture ● Encourage security mindset specially if it's outside sec team ● Build allies (security champions) in company ● Avoid Blame Game

17. ● Bridge between Dev, Sec and Ops teams ● Build Security Champions ● Single Person per team ● Everyone provided with similar cross skilling opportunities ● Incentivize other teams to collaborate with Sec team ● Internal Bug bounties ● Sponsor Interactions (Parties / get-togethers) ● Sponsor cross skilling trainings for other teams Security Champion

18. Security Enablers

19. Generic Case Study

20. Case Study

21. Case Study

22. More Case Studies

23. Case Study: Last one I promise Prevention: Patching and Continuous monitoring of Assets

24. Is it Enough? ● Rite of passage by periodic pen test and continuous bug bounty ● It's not just important to get feedback but to also action on them ● Risk Acceptance Documentation should be the worst case scenario not your first bet

25. References •https://www.blackhat.com/docs/us-17/thursday/us-17-Lackey-Practical%20Tips-for-Defendin g-Web-Applications-in-the-Age-of-DevOps.pdf •https://www.sonatype.com/hubfs/2018%20State%20of%20the%20Software%20Supply%20 Chain%20Report.pdf •https://snyk.io/opensourcesecurity-2019/ •https://www.veracode.com/state-of-software-security-report

26. Key Takeaways ● Security is everyone responsibility ● Embrace security as an integral part of the process, use feedback to refine the process ● DevSecOps is not a one size fit all: your mileage will vary

DevSecOps What Why and How

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to DevSecOps What Why and How

Similar to DevSecOps What Why and How (20)

Recently uploaded

Recently uploaded (20)

DevSecOps What Why and How