Outpost24, profile picture
Uploaded byOutpost24
PPTX, PDF215 views

Outpost24 webinar - application security in a dev ops world-08-2018

The document discusses the evolution of application security within the DevOps framework, emphasizing the need for integrating security into development processes through the concept of DevSecOps. It highlights the importance of collaboration among development, operations, and security teams, while advocating for the establishment of security champions to bridge gaps in security awareness. The key takeaways stress a cultural shift towards incorporating security earlier in the development cycle, focusing on people, processes, and the right tools to improve overall security posture.

Embed presentation

Download to read offline
Application security in a DevOps World Bob Egner, CMO be@outpost24.com 1
2 Helping customers improve security posture since 2001 Over 2,000 customers in all regions of the world Really good at breaking technology
Agenda DevOps background Lingering security challenges Evolution of DevSecOps. Putting it into practice Takeaways 3
1960’s Waterfall Assembler code widely used for development. The Waterfall methodology was coined in 1958 1970’s New languages COBOL, PL1, Pascal all made an appearance. DBMS gains traction in database management 1980’s SQL and OO SQL and object orientated languages appear. Waterfall development still used but in 1986 SCRUM is coined 1990’s WWW appears 94 – unified process 95 – Javascript, SCRUM 96 – Flash, Extreme programming 99 – Concept of Web applications 2000s Agile (and Web) explode 01 – Agile manifesto 05- Ajax created for asynchronous web application development 05 – Declaration of Interdependence 09 – Software craftmanship manifesto 04 Date A brief history of (Application Development) time
5 We need a Silver bullet
DevOps Coined in 2009 Agile success drove integration between Development and Operations Results in the need for cultural change to encourages more collaboration Focus on application release automation, continuous integration and continuous delivery People | Process | Technology approach By Kharnagy - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=51215412 But what about the Security team?
But is it really a Silver bullet? Source: Verizon data breach investigation report 2017 Source: Verizon data breach investigation report 2018
DevSecOps – process, people & tools 9
People | Process | Technology christopherspenn.com | @cspenn People Who’s doing stuff Process How stuff is done Technology What we do stuff with scaleinnovate automate Are we fast enough? Are we efficient enough? Are we creating enough new value?
Challenges with DevOps and Security teams What happened to Secure by Design? Priority of security in DevOps migration Buy your way out with tools Focusing on the end instead of process management pushes higher “per fix” cost 11
How do we incorporate Security? Security has historically been a silo Secure by design is assumed part of Agile mentality Process | People can break down silo But does DevSecOps really work?
Slaying the myths of DevSecOps • Security cant fit into DevOps process. • Configuration management tools are all DevOps need. • Adopting DevOPs eliminates the need for Security experts. • If we can do DevOps we can do SecOps.
DevSecOps • Distribute security decision making • to the right people • with the right context • at the right time • Embedded into the team, easily accessible by Developers • Gartner refers to these as ‘Champions’
People
Your Champion • Have both domain experience and desire to secure development • Help spot security problems sooner • Assign champions to security analysts • Helps security teams translate their priorities into development practices
Champion & Analyst CHAMPION Member of project team Key contact for security Not an expert A requirement for each project ANALYST Security team member Keeps security involved Key contact for the Champion(s) Security by design thinking • Links IT Security to Development teams and projects • Encourage a community between champions and brokers • Goal to improve the overall security posture • Encourage developer collaboration with champions and analyst
Process
Shift left – improve maturity & lower fix costs 19 Development Pre-production Production Code and commit Continuous integration & automated testing Complete build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments
Shift left – simple steps 20 Development Pre-production Production Code and commit Continuous integration & automated testing Complete build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments Penetration testing Code reviews Threat modeling
Technology
Choose the right tools for the job • Before settling on what tools, ask yourself: • How frequent are your ’sprints’? • How long does each tool take to run? • Can it be wholly automated into the CI/CD process? • Is it noisy, does it generate lots of false positives? • Answering these questions will help steer you in identifying the tools appropriate for your needs 22
Perfect is the enemy of Good • Chasing perfection in a DevOps culture leads to slower development • Don’t have to fix everything during development • Compensate with other tools : IPS, WAF to mitigate unknown vulnerabilities • Focus on fixing the critical known vulnerabilities during Development • The tools you select should be agile : in both integration and scanning speed 23
Tools for Success OpenAPI based to integrate seamlessly in the CI/CD toolchain Can be easily and quickly run by Developers 24
25 Tools in the AST kit SAST - Static Automated Focused on developers Noisy DAST - Dynamic Automated Operational system test Can’t address all cases Penetration Test Manual Most comprehensive Low frequency use MAST – Mobile Partially automated Focused on developers Lots of variants of test target IAST – Interactive Automated Included in code Related to RASP (runtime app self protection) Bug Bounty Manual Independent security researchers Pay by finding
Shift left – improve maturity & lower fix costs 26 Development Pre-production Production Code and commit Continuous integration & automated testing Complete build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments SAST $ IAST $$ DAST $$ MAST $$ Bug Bounty $$$ Penetration Test $$$$
Takeaways 27
Keep evolving Activity Distribution Accountability Metrics
DevOps • Agile success drove the need for tighter integration between Development and Operations – Coined in 2009 • Encourages (and indeed needs) collaboration between development, operations and QA – results in the need for cultural change • Allows for focus on application release automation, continuous integration and continuous delivery • Process – People – Tools approach to development • Often (and initially) leave out ‘Security teams’ Takeaways DevSecOps – culture change implemented with People | Process | Technology Process – small steps, not immediate perfection, mandate security People – establish security champions in DevOps, support the mandate Tools – integrate into the DevOps tool chain natively Shift Left – introduce additional tools and information earlier in the DevOps process
Thanks Bob Egner, CMO be@outpost24.com 30

More Related Content

PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PDF
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
PDF
Secure your Azure and DevOps in a smart way
byEficode
 
PDF
Zero to Ninety in Securing DevOps
byDevSecOps Days
 
PPTX
Why Serverless is scary without DevSecOps and Observability
byEficode
 
PDF
Implementing DevOps in a Regulated Environment - DJ Schleen
bySeniorStoryteller
 
PDF
Barriers to Container Security and How to Overcome Them
byWhiteSource
 
PDF
Microsoft DevOps Forum 2021 – DevOps & Security
byNico Meisenzahl
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
Dos and Don'ts of DevSecOps
byPriyanka Aash
 
Secure your Azure and DevOps in a smart way
byEficode
 
Zero to Ninety in Securing DevOps
byDevSecOps Days
 
Why Serverless is scary without DevSecOps and Observability
byEficode
 
Implementing DevOps in a Regulated Environment - DJ Schleen
bySeniorStoryteller
 
Barriers to Container Security and How to Overcome Them
byWhiteSource
 
Microsoft DevOps Forum 2021 – DevOps & Security
byNico Meisenzahl
 

What's hot

PDF
8 Tips for Deploying DevSecOps
byFelicia Haggarty
 
PPTX
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
bySeniorStoryteller
 
PPTX
Devops
bypenetration Tester
 
PPTX
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
byMohamed Nizzad
 
PPTX
Making Security Agile - Oleg Gryb
bySeniorStoryteller
 
PPTX
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
PDF
The Challenges of Scaling DevSecOps
byWhiteSource
 
PDF
2017 DevSecOps Survey
bySonatype
 
PPTX
Disconnected Pipelines: The Missing Link
byEficode
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
PDF
DevSecOps : The Open Source Way by Yusuf Hadiwinata
byHananto Wibowo Soenarto
 
PPTX
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
PDF
DevSecCon London 2017: How far left do you want to go with security? by Javie...
byDevSecCon
 
PPTX
DevSecOps - It can change your life (cycle)
byQualitest
 
PDF
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
PDF
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
byHui (Henry) Chen
 
PDF
2018 State Of DevOps Report Key Findings
byEficode
 
8 Tips for Deploying DevSecOps
byFelicia Haggarty
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
bySeniorStoryteller
 
Devops
bypenetration Tester
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
byMohamed Nizzad
 
Making Security Agile - Oleg Gryb
bySeniorStoryteller
 
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
The Challenges of Scaling DevSecOps
byWhiteSource
 
2017 DevSecOps Survey
bySonatype
 
Disconnected Pipelines: The Missing Link
byEficode
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
byHananto Wibowo Soenarto
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
bySeniorStoryteller
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
byDevSecCon
 
DevSecOps - It can change your life (cycle)
byQualitest
 
DevSecOps - Building Rugged Software
bySeniorStoryteller
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
byHui (Henry) Chen
 
2018 State Of DevOps Report Key Findings
byEficode
 

Similar to Outpost24 webinar - application security in a dev ops world-08-2018

PPTX
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
PDF
Pentest is yesterday, DevSecOps is tomorrow
byAmien Harisen Rosyandino
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PDF
Scale security for a dollar or less
byMohammed A. Imran
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
bymohitd6
 
PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PPTX
DevSecOps Powerpoint Presentation for Students
bypoonawala2303
 
PPTX
State of DevSecOps - GTACS 2019
byStefan Streichsbier
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PDF
DevSecOps - The big picture
byStefan Streichsbier
 
PDF
DevSecOps - The big picture
byDevSecOpsSg
 
PPTX
State of DevSecOps - DevOpsDays Jakarta 2019
byStefan Streichsbier
 
PDF
The State of DevSecOps
byDevOps Indonesia
 
PDF
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
PDF
DevOps for the Discouraged
byJames Wickett
 
PDF
Security's DevOps Transformation
byMichele Chubirka
 
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
Pentest is yesterday, DevSecOps is tomorrow
byAmien Harisen Rosyandino
 
Introduction to DevSecOps
byabhimanyubhogwan
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
Scale security for a dollar or less
byMohammed A. Imran
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Complete DevSecOps handbook_ Key differences, tools, benefits & best practice...
bymohitd6
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
DevSecOps Powerpoint Presentation for Students
bypoonawala2303
 
State of DevSecOps - GTACS 2019
byStefan Streichsbier
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
DevSecOps - The big picture
byStefan Streichsbier
 
DevSecOps - The big picture
byDevSecOpsSg
 
State of DevSecOps - DevOpsDays Jakarta 2019
byStefan Streichsbier
 
The State of DevSecOps
byDevOps Indonesia
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
DevOps for the Discouraged
byJames Wickett
 
Security's DevOps Transformation
byMichele Chubirka
 

More from Outpost24

PPTX
Outpost24 webinar - A fresh look into the underground card shop ecosystem
byOutpost24
 
PDF
Outpost24 webinar Why API security matters and how to get it right.pdf
byOutpost24
 
PPTX
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
byOutpost24
 
PPTX
Outpost24 Webinar - Five steps to build a killer Application Security Program
byOutpost24
 
PPTX
Outpost24 webinar - How to protect your organization from credential theft
byOutpost24
 
PPTX
Outpost24 webinar : Beating hackers at their own game 2022 predictions
byOutpost24
 
PPTX
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
byOutpost24
 
PDF
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
byOutpost24
 
PPTX
Outpost24 webinar: best practice for external attack surface management
byOutpost24
 
PPTX
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
byOutpost24
 
PPTX
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
byOutpost24
 
PDF
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
byOutpost24
 
PPTX
Outpost24 webinar - Api security
byOutpost24
 
PDF
Outpost24 Webinar - CISO conversation behind the cyber security technology
byOutpost24
 
PDF
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
byOutpost24
 
PDF
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
byOutpost24
 
PPTX
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
byOutpost24
 
PPTX
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
byOutpost24
 
PPTX
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
byOutpost24
 
PPTX
Outpost24 webinar mastering container security in modern day dev ops
byOutpost24
 
Outpost24 webinar - A fresh look into the underground card shop ecosystem
byOutpost24
 
Outpost24 webinar Why API security matters and how to get it right.pdf
byOutpost24
 
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...
byOutpost24
 
Outpost24 Webinar - Five steps to build a killer Application Security Program
byOutpost24
 
Outpost24 webinar - How to protect your organization from credential theft
byOutpost24
 
Outpost24 webinar : Beating hackers at their own game 2022 predictions
byOutpost24
 
Outpost24 webinar - Enhance user security to stop the cyber-attack cycle
byOutpost24
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
byOutpost24
 
Outpost24 webinar: best practice for external attack surface management
byOutpost24
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
byOutpost24
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
byOutpost24
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
byOutpost24
 
Outpost24 webinar - Api security
byOutpost24
 
Outpost24 Webinar - CISO conversation behind the cyber security technology
byOutpost24
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
byOutpost24
 
Outpost24 webinar - How to secure cloud services in the DevOps fast lane
byOutpost24
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
byOutpost24
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
byOutpost24
 
Outpost24 webinar - Bridging your cyber hygiene gap to prevent enterprise hac...
byOutpost24
 
Outpost24 webinar mastering container security in modern day dev ops
byOutpost24
 

Recently uploaded

PDF
Microservices Architecture Benefits For Mobile Development.pdf
bydavidjohansen1597
 
PDF
IAAM Meetup #7 chez Onepoint - Construire un Rag-as-a-service en production. ...
byiaaixmarseille
 
PDF
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
PDF
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
PDF
DSD-INT 2025 Advancing Urban Flood Modeling with Delft3D FM 1D2D - A Pilot St...
byDeltares
 
PPTX
CRM Development Company | Custom CRM Development Services
byyugababu033
 
PDF
BCA 1st Semester Fundamentals Solved Question Paper 44121
byKuvempu University
 
PDF
DSD-INT 2025 Modelling Non-Newtonian Slurry Beaching with Delft3D-Slurry - Bi
byDeltares
 
PDF
DevOps Monitoring Tools: The 2025 Guide to Performance & Observability
byalexendrascott01
 
PDF
How Device, OS, and Network Variability Affects App Experience - And How to T...
bykalichargn70th171
 
PDF
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
PDF
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
PDF
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
PPT
Presentation on TCL/TK scripting language
byBimal Jain
 
PPTX
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
PDF
DSD-INT 2025 Hydrodynamic and Morphodynamic Modeling with Delft3D FM for an I...
byDeltares
 
PDF
DSD-INT 2025 Building-Aware Flood and Lifeline Scour Modeling with Delft3D FM...
byDeltares
 
PDF
Custom Software Development Presentation.pdf
byssuser9c7131
 
PDF
DSD-INT 2025 3D-modelling of salt intrusion into Germany’s busiest waterway -...
byDeltares
 
PPTX
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
Microservices Architecture Benefits For Mobile Development.pdf
bydavidjohansen1597
 
IAAM Meetup #7 chez Onepoint - Construire un Rag-as-a-service en production. ...
byiaaixmarseille
 
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
DSD-INT 2025 Advancing Urban Flood Modeling with Delft3D FM 1D2D - A Pilot St...
byDeltares
 
CRM Development Company | Custom CRM Development Services
byyugababu033
 
BCA 1st Semester Fundamentals Solved Question Paper 44121
byKuvempu University
 
DSD-INT 2025 Modelling Non-Newtonian Slurry Beaching with Delft3D-Slurry - Bi
byDeltares
 
DevOps Monitoring Tools: The 2025 Guide to Performance & Observability
byalexendrascott01
 
How Device, OS, and Network Variability Affects App Experience - And How to T...
bykalichargn70th171
 
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
Presentation on TCL/TK scripting language
byBimal Jain
 
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
DSD-INT 2025 Hydrodynamic and Morphodynamic Modeling with Delft3D FM for an I...
byDeltares
 
DSD-INT 2025 Building-Aware Flood and Lifeline Scour Modeling with Delft3D FM...
byDeltares
 
Custom Software Development Presentation.pdf
byssuser9c7131
 
DSD-INT 2025 3D-modelling of salt intrusion into Germany’s busiest waterway -...
byDeltares
 
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 

Outpost24 webinar - application security in a dev ops world-08-2018

  • 1.
    Application security in aDevOps World Bob Egner, CMO be@outpost24.com 1
  • 2.
    2 Helping customers improvesecurity posture since 2001 Over 2,000 customers in all regions of the world Really good at breaking technology
  • 3.
    Agenda DevOps background Lingering securitychallenges Evolution of DevSecOps. Putting it into practice Takeaways 3
  • 4.
    1960’s Waterfall Assembler code widely usedfor development. The Waterfall methodology was coined in 1958 1970’s New languages COBOL, PL1, Pascal all made an appearance. DBMS gains traction in database management 1980’s SQL and OO SQL and object orientated languages appear. Waterfall development still used but in 1986 SCRUM is coined 1990’s WWW appears 94 – unified process 95 – Javascript, SCRUM 96 – Flash, Extreme programming 99 – Concept of Web applications 2000s Agile (and Web) explode 01 – Agile manifesto 05- Ajax created for asynchronous web application development 05 – Declaration of Interdependence 09 – Software craftmanship manifesto 04 Date A brief history of (Application Development) time
  • 5.
    5 We need aSilver bullet
  • 6.
    DevOps Coined in 2009 Agilesuccess drove integration between Development and Operations Results in the need for cultural change to encourages more collaboration Focus on application release automation, continuous integration and continuous delivery People | Process | Technology approach By Kharnagy - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=51215412 But what about the Security team?
  • 7.
    But is itreally a Silver bullet? Source: Verizon data breach investigation report 2017 Source: Verizon data breach investigation report 2018
  • 9.
    DevSecOps – process,people & tools 9
  • 10.
    People | Process| Technology christopherspenn.com | @cspenn People Who’s doing stuff Process How stuff is done Technology What we do stuff with scaleinnovate automate Are we fast enough? Are we efficient enough? Are we creating enough new value?
  • 11.
    Challenges with DevOpsand Security teams What happened to Secure by Design? Priority of security in DevOps migration Buy your way out with tools Focusing on the end instead of process management pushes higher “per fix” cost 11
  • 12.
    How do we incorporateSecurity? Security has historically been a silo Secure by design is assumed part of Agile mentality Process | People can break down silo But does DevSecOps really work?
  • 13.
    Slaying the mythsof DevSecOps • Security cant fit into DevOps process. • Configuration management tools are all DevOps need. • Adopting DevOPs eliminates the need for Security experts. • If we can do DevOps we can do SecOps.
  • 14.
    DevSecOps • Distribute securitydecision making • to the right people • with the right context • at the right time • Embedded into the team, easily accessible by Developers • Gartner refers to these as ‘Champions’
  • 15.
  • 16.
    Your Champion • Haveboth domain experience and desire to secure development • Help spot security problems sooner • Assign champions to security analysts • Helps security teams translate their priorities into development practices
  • 17.
    Champion & Analyst CHAMPION Memberof project team Key contact for security Not an expert A requirement for each project ANALYST Security team member Keeps security involved Key contact for the Champion(s) Security by design thinking • Links IT Security to Development teams and projects • Encourage a community between champions and brokers • Goal to improve the overall security posture • Encourage developer collaboration with champions and analyst
  • 18.
  • 19.
    Shift left –improve maturity & lower fix costs 19 Development Pre-production Production Code and commit Continuous integration & automated testing Complete build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments
  • 20.
    Shift left –simple steps 20 Development Pre-production Production Code and commit Continuous integration & automated testing Complete build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments Penetration testing Code reviews Threat modeling
  • 21.
  • 22.
    Choose the right toolsfor the job • Before settling on what tools, ask yourself: • How frequent are your ’sprints’? • How long does each tool take to run? • Can it be wholly automated into the CI/CD process? • Is it noisy, does it generate lots of false positives? • Answering these questions will help steer you in identifying the tools appropriate for your needs 22
  • 23.
    Perfect is theenemy of Good • Chasing perfection in a DevOps culture leads to slower development • Don’t have to fix everything during development • Compensate with other tools : IPS, WAF to mitigate unknown vulnerabilities • Focus on fixing the critical known vulnerabilities during Development • The tools you select should be agile : in both integration and scanning speed 23
  • 24.
    Tools for Success OpenAPI basedto integrate seamlessly in the CI/CD toolchain Can be easily and quickly run by Developers 24
  • 25.
    25 Tools in theAST kit SAST - Static Automated Focused on developers Noisy DAST - Dynamic Automated Operational system test Can’t address all cases Penetration Test Manual Most comprehensive Low frequency use MAST – Mobile Partially automated Focused on developers Lots of variants of test target IAST – Interactive Automated Included in code Related to RASP (runtime app self protection) Bug Bounty Manual Independent security researchers Pay by finding
  • 26.
    Shift left –improve maturity & lower fix costs 26 Development Pre-production Production Code and commit Continuous integration & automated testing Complete build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments SAST $ IAST $$ DAST $$ MAST $$ Bug Bounty $$$ Penetration Test $$$$
  • 27.
  • 28.
  • 29.
    DevOps • Agile successdrove the need for tighter integration between Development and Operations – Coined in 2009 • Encourages (and indeed needs) collaboration between development, operations and QA – results in the need for cultural change • Allows for focus on application release automation, continuous integration and continuous delivery • Process – People – Tools approach to development • Often (and initially) leave out ‘Security teams’ Takeaways DevSecOps – culture change implemented with People | Process | Technology Process – small steps, not immediate perfection, mandate security People – establish security champions in DevOps, support the mandate Tools – integrate into the DevOps tool chain natively Shift Left – introduce additional tools and information earlier in the DevOps process
  • 30.

Editor's Notes

  • #5 2001 Writing Secure Code by Howard and LeBlanc from the earlier Microsoft’s Secure Windows Initiative
  • #6 And so we end up with Agile + DevOPs being likened to that fabled Silver bullet. You know : the thing that slays the beast. In this case, addressing the need to align development to an efficient, digital pace of business today. Or the thing that magically addresses a complicated probbkem
  • #7 With the success of Agile development, in 2009 the concept of DevOps was raised by Andrew Shafer and Patrick Debois. DevOps is essentially a natural evolution of Agile, it brings closer together the Development team. The Operations team and QA to allow for the rapid release of applications through sprints. Although it requires a cultural change, organizations embracing it can develop and deliver applications much fasters Security by design is often shoe’horned into the Devops process, often focusing on the end of the development journey. however, for many years the security teams were still precluded from the process. In fact, whilst remaining a silo separate to the Agile and DevOps processes security can become the inhibitor to successfully implementing Agile and Devops cultures
  • #8 Security by design,…… Agile and DevOPs allows customers to develop and deliver applications to the market at a quck pace. And yet, time after time the surveys show that web application attacks are continually features in the top lists of incidents and often right at the top in sources of breaches.
  • #9 And OWASP constantly publish the top 10 list, not the top 3 or 5. Couple that with almost no change in top 10 over the last 4 years, its little wonder our customers are asking how, as they adopt DevOps they are constantly facing the quandary of can security fit into the DevOps model without it being a hinderance.
  • #11 Earliest form of this was Harold Leavitt’s 1964 use of 4 elements (structure, tasks, people, technology) in describing organizational change – since then, we’ve improved it to just 3 elements I like this version from Chris Penn because it clearly shows the where the benefits come from – the intersections http://www.christopherspenn.com/2018/01/transforming-people-process-and-technology-part-1/
  • #12 In 2017 Gartner shows that the biggest strategy to overcome was collaborating with Security. As organisations adopt a
  • #13 If security teams remain silo’d and disengaged from the Agile DevOps process then challenges will arise. In fact, its highly likely that Security will become a stumbling block to the success of Agile. Remember, Agile and DevOps is about collaboration (and rapid iteration). So breaking down the silo’s between the teams, integrating them together to create ‘DevSecOps’
  • #14 1. Wrong. With the right automation and tools security can be injected into the development process much earlier. 2. Wrong, whilst they help with deployment and redeployment they simply cannot handle the security analysis that a security professional can 3. Wrong. The majority of developers are NOT security experts. Neglecting the security experts can lead to your organization becoming the next statistic on the Verizon dibr report. 4. Wrong. Keeping security as its own functional area or Silo misses the point of Agile and DevOps – namely cross-functional integration. Security Experts must partner with development and operations at the beginning of the development process. It might mean a cultural change, but it is absolutely imperative to success
  • #20 Point out – this is about situations where you have control over the DevOps process – if you outsource development, you may not be able to evolve with out external collaboration. For customization on COTS, you can still treat it as development and work towards this process Whiilst we try to move away from waterfall in the agile devops world, if we take a moment to look atboth the types of tools available and where they sit in Software development lifecycle we can identify where our own organisation is. Think about a shift left approach, if you don’t have anything inplace today, then can you fit a penetration test into the process. However, remember agile is about shorter development sprints. Therefore your pen test partner needs to be able to deliver on demand and at speed. Likewise if your doing Dast today, shifting left might mean Sast or IAST or Mast depending on the applications you are developing.
  • #21 Point out – this is about situations where you have control over the DevOps process – if you outsource development, you may not be able to evolve with out external collaboration. For customization on COTS, you can still treat it as development and work towards this process Whiilst we try to move away from waterfall in the agile devops world, if we take a moment to look atboth the types of tools available and where they sit in Software development lifecycle we can identify where our own organisation is. Think about a shift left approach, if you don’t have anything inplace today, then can you fit a penetration test into the process. However, remember agile is about shorter development sprints. Therefore your pen test partner needs to be able to deliver on demand and at speed. Likewise if your doing Dast today, shifting left might mean Sast or IAST or Mast depending on the applications you are developing.
  • #24 Ultimately when considering DevSecOP and starting the journey you need to consider Voltaire’s words: Perfect is the enemy of good. Don’t chase perfection, namely the fixing of ALL vulnerabilities during the Development cycle. This will kill your ability to deliver rapid sprints as you get bogged down with testing in the old Security by design mentality. Instead, use other tools to help mitigate the unknown or less common vulnerabilities : IPS, WAF, even next gen firewalls. Have the development team focus on the known critical vulnerabiltiies and fix them, use OWASP to help guide them on how to fix and not repeat the same errors. And when selecting your SAST, DAST, Mast, IAST tools, make sure they too are agile : agile in scanning and agile in the way they integrate in the CI/CD process.
  • #25 This is what our customers are asking us for time and again. 1. in DevOps, the development team should be capable of launching and executing automated scans from directly within their native toolchain. The scanners should be easy to use and not require significant security expertise. Moreover, findings should appear in the same DevOps native toolchain.
  • #29 Maturity curve is like climbing stairs – p p t Now carrying a bike on foot Now riding up