Fabian Lim presented on how DevSecOps is implemented at GovTech Nectar in Singapore. Nectar provides a Platform as a Service (PaaS) for government agencies, with shared responsibilities for security between Nectar and users. Nectar is responsible for the security of the PaaS infrastructure, while users are responsible for securing their applications. Nectar enables DevSecOps through a culture that embraces failure and feedback, hiring developers, security and operations staff, implementing agile processes like sprints with security involvement, and using DevOps tools to automate security in the software development lifecycle.

1. #RSAC
SESSION ID:SESSION ID:
#RSAC
Fabian Lim
PaaS in Government
With DevSecOps
DevSecOps Engineer
GovTech - Nectar
@3jmaster

2. #RSAC
Sponsors of DevOps Connect: DevSecOps

3. #RSAC
# uname -a
Human Fabian Lim Kernel Version 2.0;
wget https://about.me/fabian.lim
# history
1 baby: Ms_Info_Security / release_Carnegie_Mellon_2014;
2 noob: DevSecOps_Engineer / release_Intuit_2015;
3 root: DevSecOps_Engineer / release_GovTech_2016
whoami

4. #RSAC
Government Technology Agency Singapore
[ Launched Oct 2016 - formerly known as IDA ]
https://tech.gov.sg

5. #RSAC
Open mind
Do-it attitude
Hands-on
Agile & DevOps
Help Others to be Happy & Awesome

6. #RSAC
Water
Runs underneath our skins and this tiny island

7. #RSAC
Singapore River 1960s
Singapore River 2017

8. #RSAC
Software
… is eating the world

9. #RSAC
www.moe.gov.sg in 2002
www.moe.gov.sg in 2017

10. #RSAC
Water
http://angrytrainerfitness.com/wp-content/uploads/2012/05/Drinking-Water.jpg
https://mattermark.com/wp-content/uploads/2015/06/startups.jpg
Software
The Need

11. #RSAC
The Environment
Code Env
Water Software

12. #RSAC
The Role
http://us.123rf.com/450wm/anawat/anawat1509/anawat150901245/45074411-scientist-with-equipment-and-science-experiments-laboratory-glassware-containing-chemical-liquid-sci.jpg?ver=6
https://upload.wikimedia.org/wikipedia/commons/thumb/6/64/Coding_Shots_Annual_Plan_high_res-5.jpg/300px-Coding_Shots_Annual_Plan_high_res-5.jpg
http://www.aboriginalaccess.ca/sites/aboriginalaccess.ca/files/img/hero/civil-eng-water-resource.jpg
Water Software

13. #RSAC

14. #RSAC
Project A
Project C Project D
Project B
Time:
Years to
fulfil
Cost:
$$$$$$$$$
Manpower:
High
Overhead
Common Data:
Repeated, not
shared
Resources:
Isolated,
under utilized
Breaking Silos
Security:
✓ Compliant
:)

15. #RSAC
https://blog.gds-gov.tech/nectar-10e0eb1581cf

16. #RSAC
https://blog.gds-gov.tech/nectar-10e0eb1581cf

17. #RSAC
http://saphanatutorial.com/wp-content/uploads/2015/01/SAP-HANA-Cloud-Platform-PaaS-1.jpg
Nectar - Platform as a Service (PaaS)

18. #RSAC
https://aws.amazon.com/compliance/shared-responsibility-model/
Nectar is responsible for security of PaaS
Infrastructure Resource Monitoring
Infrastructure Network Monitoring
Infrastructure Security Tools
Shared Security Responsibilities
Users are responsible for their
applications’ security in PaaS

19. #RSAC
*With the shared modelling, tenants can focus on their responsibility of the shared security model
Self-Service via Nectar:
• Provision
• Deployment
Enabling Agencies
Tools provided by Nectar:
• App Code Scanning
• App Logging
• App Monitoring
Result:
• Continuous Delivery
• Isolation
• Easier* Compliance

20. #RSAC
How Nectar
Dance DevSecOps

21. #RSAC
[0] Infuse Culture and Mindset

22. #RSAC
Principles
Business Risk Driven; not Compliance Driven
Collaboration; not Division
Responsibility Sharing; not Dismissal
Test Hypothesis; not Delay
Doing Right Things Fast; not ‘Quick and Dirty’

23. #RSAC
• Failure
• Feedback
• Change
• Speed
• Value
• Involvement
• Well, ACTUALLY doing the work...
Embrace

24. #RSAC
[1] Hire Cool People

25. #RSAC
Development! Security! Operation!

26. #RSAC
[2] Implement Processes

27. #RSAC
http://www.behaviormodel.org/index_files/bj-fogg-behavior-model-grapic.jpg
Securing the Human - BJ Fogg Model

28. #RSAC
http://agilebrick.com/images/agile-process-1.png
Sprints
• Security in loop
• Planned time
• Feedback
• Fix it early, fast
• Include Infra/Ops

29. #RSAC
https://blog.gds-gov.tech/nectar-10e0eb1581cf
SDLC

30. #RSAC
AIR-GAP ENVIRONMENT
Government Environment

31. #RSAC
AIR-GAP
ENVIRONMENT
SDLC in Government Environment

32. #RSAC
[3] Use DevOps Tools

33. #RSAC
Everything as Code and Service
Dev Env
https://www.kanren.net/wp-content/uploads/2015/08/virtualmachines.png
 Trust

34. #RSAC
[Bonus] Red Team Thyself

35. #RSAC
Find Your Recipe

36. #RSAC
Treat code like water;
don’t take it not for granted.

37. #RSAC#RSAC
Thank You!
Profile: www.about.me/fabian.lim
Twitter: @3jmaster
Other References:
https://www.pub.gov.sg/Documents/UFW_Guidebook.pdf
https://www.pub.gov.sg/Documents/WQ2016.pdf
https://app.pub.gov.sg/waterlevel/pages/WaterLevelSensors.aspx
https://www.pub.gov.sg/research
https://www.pub.gov.sg/watersupply/waterquality/drinkingwater