The term DevSecOps has often been confused with securing DevOps, with security operations, or with using a secure development lifecycle in agile development. When you build security into DevOps and even into agile development, when do practices such as threat modeling, static application security testing, and dynamic application security testing occur? This session explains how sound architecture and implementation is key to providing DevSecOps capability with AWS. A core concept is that cybersecurity requirements are foundational and cannot be placed on a backlog indefinitely while development and operations are actively worked on.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
It’s in my backlog:
The truth behind DevSecOps
Randall Brooks, CISSP, CCSK
Engineering Fellow
Cyber Center of Excellence
Raytheon Company
F N D 2 1 7
Shawn Harris, CISSP-ISSAP, CCSP
Managing Principal Security Architect
Starbucks Coffee Company

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Disclaimer
This talk is purely the opinion of the speakers and does not
reflect the opinions of their employers.

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
An additional note
We are not the Cloud Security
Alliance (CSA)
We are our companies’ representatives to
the CSA and serve on the DevSecOps and
Cloud Control Matrix working groups
We will discuss the CSA often in
this talk

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Expected knowledge
You’re going to learn what
DevSecOps really is, how to
seamlessly integrate cybersecurity,
and which AWS tools are needed to
do so!

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
This talk in a nutshell
• The term DevSecOps has often been confused with “securing DevOps” or
“security Ops”—or using a secure development life cycle in agile
• If one is building security into their DevOps processes and even agile, when do
practices like threat modeling, static application security testing, and dynamic
application security testing occur?
• Sound architecture and implementation is key to providing a DevSecOps
capability with AWS
• A core concept is that cybersecurity requirements are foundational and cannot
be placed on a backlog indefinitely while the dev and the ops side of the
equation are worked actively

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• What is DevOps? DevSecOps?
• What is not DevSecOps? (in our humble opinion)
• How can one implement software assurance and security into DevOps?
• How can this be implemented in AWS?

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevOps
• “DevOps is a set of software
development practices that
combines software development
(Dev) and information technology
operations (Ops) to shorten the
system’s development life cycle
while delivering features, fixes, and
updates frequently in close
alignment with business objectives.”
—Wikipedia
• Shared-responsibility model

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps
• DevSecOps is short for development, security, and operations. Its mantra is to
make everyone responsible and accountable for security with the objective of
implementing security decisions and actions at the same scale and speed as
development and operations decisions and actions.

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Technical change or a cultural change?
• Leaning in over always saying no
• Data and security science over fear,
uncertainty, and doubt
• Open contribution and collaboration
over security-only requirements
• Consumable security services with
APIs over mandated security
controls and paperwork
• Business-driven security scores over
rubber-stamp security
• Red and blue team exploit testing
over relying on scans and
theoretical vulnerabilities
• 24-7 proactive security monitoring
over reacting after being informed
of an incident
• Shared threat intelligence over
keeping info to ourselves
• Compliance operations over
clipboards and checklists
—DevSecOps.org manifesto

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps life cycle

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
A DevSecOps workflow
• A developer writes source code and checks it into a source repository with
version control.
• Through automation, the code is tested via static application security testing.
Additionally, a peer review is conducted on the new code.
• If the code passes a defined bug bar, an environment is then created using an
infrastructure-as-code tool. This environment mirrors the operational
environment.

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
A DevSecOps workflow (continued)
• The software is deployed to this test environment in which dynamic application
security testing is conducted. Through test automation, the software is
instrumented and fuzzed along with other functionality and vulnerability tests.
• If the application passes these tests, it is deployed to a production
environment.
• This new production environment is monitored continuously to identify any
active security threats to the system.
• The whole workflow starts again.

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
!DevSecOps
• DevOps
• Agile
• Your application
security/software assurance
program
• Static code analysis
• Water[Scrum]fall

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What if DevSecOps was:
• DevOps
• Agile
• Your application
security/software assurance
program
• Static code analysis
• Water[Scrum]fall
When are security practices done?

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
First, one must have a secure development life cycle
(SDLC)
Microsoft SDL

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps is all about using training to influence cultural
change
• Include your site reliability engineering (SRE)/DevOps teams in SDLC
integrations planning (inclusion)
• Develop patterns for use
• Don’t rely on security professionals to do security planning alone
• Develop security as code

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Next, need to baby step and start “building security in”
• Embed static code analysis
• Add operational security
controls
• Automate

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Types of automation
• None (manual processes)
• Event driven (develop AWS
Lambda function based on
criteria)
• Full (playbooks developed for a
fully automated system)

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Governance

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Six pillars of DevSecOps by the CSA
1. Collectively responsible (culture)
2. Collaborate and integrate (training, process integration)
3. Pragmatic implementation
4. Bridge compliance and development gap
5. Automate
6. Measure
Just finished peer review

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps with AWS

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example AWS pipelinewith security

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
#whoami
Mr. Randall Brooks is an engineering fellow for Raytheon Company (NYSE: RTN).
He is the director of the Raytheon Cyber Center of Excellence. Mr. Brooks
represents the company within the U.S. International Committee for Information
Technology Standards Cyber Security 1 (CS1) and the Cloud Security Alliance
(CSA). He has more than 20 years of experience in cybersecurity with a recognized
expertise in software assurance (SwA) and secure development life cycles (SDLC).
In addition to holding eight patents, Mr. Brooks is a CCSK, CISSP, CSSLP, ISSEP,
ISSAP, and ISSMP. He graduated from Purdue University with a bachelor’s of
science from the School of Computer Science.
brooks@raytheon.com

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
#whoami
Mr. Shawn Harris has over 25 years of information security experience. He is
currently the managing principal security architect at Starbucks Coffee Company.
Mr. Harris previously assisted with the initial development of the Certified Cloud
Security Professional (CCSP) certification, served on the NIST Cloud Computing
Security working group, IETF JOSE working group, the Cloud Security Alliance
CCM, CAIQ, and the Enterprise Architecture working groups. He has contributed
material for ISC2 CISSP, ISSAP, and CCSP examinations. Mr. Harris is currently co-
chair of a Cloud Security Alliance working group leading efforts to develop the
Cloud Control Matrix 4.0.
shharris@starbucks.com

30. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.