The document provides an overview of secure DevOps practices including:
- Integrating security into the software development lifecycle from design through deployment.
- Using automation and continuous integration/delivery practices to continuously assess and remediate vulnerabilities.
- Implementing secure configurations for hardware and software and keeping systems updated with the latest patches.
- Performing security testing using tools that can identify vulnerabilities during the development process.
- Controlling administrative privileges and secrets management in an "infrastructure as code" environment.
Veritis helps organizations in proactively adopting DevSecOps and redefining their operations, engineering and security to work in cohesion towards business success.
Awareness and Guide to a Practical Implementation.
Discover how to automate security testing, and ensure every bit of code is scanned before it leaves the developer’s hands
https://bsidesdc2018.busyconf.com/schedule#day_5acff470ec4a15f24e000036
This document discusses DevSecOps and provides information about integrating security practices into the DevOps process. It describes how DevSecOps improves upon traditional DevOps by adding security checks to code, containers, and infrastructure. These checks help detect vulnerabilities, sensitive information, and non-compliance before code is deployed. The document also introduces the open-source auditing tool Lynis, which scans servers to identify vulnerabilities and compliance issues across the operating system, network settings, authentication methods, and more.
- Stefan Streichsbier is the CEO of GuardRails and a professional white-hat hacker who has identified severe shortcomings in security processes and technologies, leading him to create GuardRails.
- The document discusses the evolution of DevOps and increasing complexity, the state of security and how it needs to fit within modern development workflows, and introduces the concept of DevSecOps to address shortcomings and better integrate security.
- Key aspects of DevSecOps discussed include how to create, test, and monitor secure applications and empower development teams to build security in from the start rather than see it as a separate function. Automated security tools and the need to reduce noise and improve usability for developers is also
This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
Рано или поздно любая компания задумывается как о безопасности своего продукта, так и внутренней безопасности, и это неизбежно ведет к выстраиванию security-процессов, стандартов, требований и политик. Этот процесс довольно сложный и трудоемкий, требующий определенной зрелости компании и слаженной работы всех сотрудников. Мы хотели бы рассказать о своем опыте создания security-культуры компании Wrike, в том числе с помощью продукта, который мы делаем. Также мы поделимся опытом решения реальных проблем безопасности, с которыми сталкиваемся сами или наши клиенты.
Open Source Security: How to Lay the Groundwork for a Secure CultureWhiteSource
Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements.
However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software.
Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses:
1. The four layers of open-source security
2. How to integrate continuous security into your SDLC
3. Best practices for organizations to own and execute the security process
Veritis helps organizations in proactively adopting DevSecOps and redefining their operations, engineering and security to work in cohesion towards business success.
Awareness and Guide to a Practical Implementation.
Discover how to automate security testing, and ensure every bit of code is scanned before it leaves the developer’s hands
https://bsidesdc2018.busyconf.com/schedule#day_5acff470ec4a15f24e000036
This document discusses DevSecOps and provides information about integrating security practices into the DevOps process. It describes how DevSecOps improves upon traditional DevOps by adding security checks to code, containers, and infrastructure. These checks help detect vulnerabilities, sensitive information, and non-compliance before code is deployed. The document also introduces the open-source auditing tool Lynis, which scans servers to identify vulnerabilities and compliance issues across the operating system, network settings, authentication methods, and more.
- Stefan Streichsbier is the CEO of GuardRails and a professional white-hat hacker who has identified severe shortcomings in security processes and technologies, leading him to create GuardRails.
- The document discusses the evolution of DevOps and increasing complexity, the state of security and how it needs to fit within modern development workflows, and introduces the concept of DevSecOps to address shortcomings and better integrate security.
- Key aspects of DevSecOps discussed include how to create, test, and monitor secure applications and empower development teams to build security in from the start rather than see it as a separate function. Automated security tools and the need to reduce noise and improve usability for developers is also
This document discusses DevSecOps, which involves infusing security practices into the development lifecycle to enable faster release cycles while maintaining security. It notes that over 53,000 cybersecurity incidents occurred in India in 2017. Implementing DevSecOps requires changes across an organization's people, processes, tools, and governance to embed security responsibilities across all teams. The typical DevSecOps pipeline shifts security left through activities like threat modeling, security testing, and monitoring throughout the development lifecycle.
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
Рано или поздно любая компания задумывается как о безопасности своего продукта, так и внутренней безопасности, и это неизбежно ведет к выстраиванию security-процессов, стандартов, требований и политик. Этот процесс довольно сложный и трудоемкий, требующий определенной зрелости компании и слаженной работы всех сотрудников. Мы хотели бы рассказать о своем опыте создания security-культуры компании Wrike, в том числе с помощью продукта, который мы делаем. Также мы поделимся опытом решения реальных проблем безопасности, с которыми сталкиваемся сами или наши клиенты.
Open Source Security: How to Lay the Groundwork for a Secure CultureWhiteSource
Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements.
However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software.
Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses:
1. The four layers of open-source security
2. How to integrate continuous security into your SDLC
3. Best practices for organizations to own and execute the security process
This document discusses implementing a secure software development lifecycle (SDLC) to improve application security. It outlines why the traditional approach of only involving security experts does not work. Instead, it proposes integrating security practices throughout each phase of the development process, including requirements, design, implementation, verification, and release. This includes training developers, conducting threat modeling and security testing, using security tools in continuous integration, and analyzing results to address issues early. The goal is to reduce security defects over time by changing developer mindsets and integrating security as applications are built.
This talk by Stefan Streichsbier, Co-Founder of GuardRails.io, provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications.
To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.”
After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time.
The 3 core takeaways for the audience are:
1.) Where security practices have gone wrong so far.
2.) What new technologies will cause a paradigm shift in how security is applied at scale.
3.) How security will look like in 5-10 years.
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsDevOps.com
The traditional way of handling security issues in DevOps involves security teams analyzing vulnerabilities and opening issues/tickets, with closing the loop on resolutions being difficult. This model is changing as the cost of fixing later-stage defects rises significantly. The shift is toward DevSecOps where responsibility for application security moves to development teams. Developers are integrating security tools earlier in the software development lifecycle (SDLC) to enable a more secure-by-design approach. Effective DevSecOps requires tools that fit seamlessly into developer workflows and prioritize actual vulnerabilities over non-issues. It also demands integrating security practices into DevOps processes through agile methodologies and automation.
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they?
In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about:
The current challenges of the security and development teams when it comes to AppSec
The contradicting views and gaps between the teams on DevSecOps maturity
How to break the silos and advance toward DevSecOps maturity
Taking Open Source Security to the Next LevelWhiteSource
Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future.
Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.
This document summarizes the PIACERE project, which aims to integrate security into DevSecOps processes. It receives funding from the EU Horizon 2020 program. The project develops tools like the DevSecOps Modeling Language (DOML) and Verification Tool to integrate security principles into infrastructure modeling and deployment. It also includes a Canary Sandbox Environment for testing deployments and an Infrastructure Optimization Platform for optimizing cloud resources. The overall goal is to provide a unified platform for secure, automated deployment to multiple clouds.
The document announces events from DevSecOps Singapore to bring together developers, operations, and security professionals. It describes monthly meetups for talks and networking, workshops over 4 months on integrating security testing into the SDLC, and an annual conference in 2017. It provides announcements for the workshops and conference and calls for speakers, office space, and volunteers to help build the community.
Link to Youtube video: https://youtu.be/-awH_CC4DLo
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Basic Introduction to DevSecOps concept
Why What and How for DevSecOps
Basic intro for Threat Modeling
Basic Intro for Security Champions
3 pillars of DevSecOps
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
How to integrate security in CI/CD pipeline
Open Source Security at Scale- The DevOps Challenge WhiteSource
It’s no secret that open source components form the backbone of today’s software, comprising between 60-80% of modern applications. But with this, comes the alarming rise in open source vulnerabilities – more than 3,500 open source vulnerabilities were reported in 2017 – that’s 60% higher than the previous year, and the trend continued in 2018.
The question arises: how can DevOps teams ensure a visible and continuous delivery pipeline for software releases without letting security slow them down?
Join WhiteSource’s Product Manager, Shiri Ivtsan, as she discusses:
- The current state of open source vulnerabilities management;
- The latest innovations in the open source security world; and
- The best DevOps tools to protect organizations against open source vulnerabilities and ensure agility, visibility and control regarding their open source.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
Daniel Kefer from 1&1 Internet AG presented on 1&1's secure software development lifecycle (SDLC). He began by introducing himself and 1&1. He then discussed the motivation for a secure SDLC, noting the higher costs of fixing bugs later in development. Kefer outlined the common approaches to application security as intuitive, reactive, or proactive. 1&1 aims to take the proactive approach through their SDLC methodology. He described their methodology, including classifying systems based on risk level and assigning different security requirements at each level across both the development lifecycle and technical categories. Kefer finished by discussing 1&1's plans to expand usage and continuous improvement of their SDLC methodology.
This document provides guidance on building an application security program. It discusses common application security threats and vulnerabilities. The goal of application security is to reduce application risks. Methods include static code analysis, dynamic testing, and manual verification at different stages of the software development lifecycle. The document recommends starting simple, setting policies and standards, scaling application security as development scales, and verifying third party applications. It emphasizes the importance of continuous improvement, metrics, and alignment with development processes.
Tackling the Risks of Open Source Security: 5 Things You Need to KnowWhiteSource
This document discusses open source security risks and provides recommendations. It contains 5 sections:
1. Open source risk is on the rise as open source code accounts for 60-80% of software and reported vulnerabilities are increasing.
2. Developers must change their mindset as open source vulnerabilities differ from proprietary vulnerabilities in detection, publicity and remediation.
3. Prioritizing security vulnerabilities is key as developers spend too much time on ineffective vulnerabilities.
4. Security responsibilities must be delegated between security, DevOps and developers to bridge gaps.
5. Shifting security left by empowering developers and integrating tools earlier can turn developers into advocates and detect issues cheaper.
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...WhiteSource
The best approaches and practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising on security.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
The document discusses the Secure Software Development Life Cycle (SSDLC) and provides recommendations for developers to integrate security into their processes. It recommends that developers understand common threats, perform penetration testing, implement logging of abnormal activity, secure all inputs and outputs, and consider security requirements throughout the entire development cycle from design to deployment. The document emphasizes that software security is important and is everyone's responsibility.
Talk to executives in IT divisions of large enterprises about security and invariably the conversation will hover around
DevSecOps pipeline.
Is DevSecOps the only thing you need to do for security in your IT division or is there more?
What impact does bringing in secure culture in an engineering context mean?
What handshake is needed between the IT function and the security / risk function for large enterprises?
How does this impact roles and responsibilities of a developer?
This talk is an attempt to answer questions such as these using a real world examples of transformations seen in Fortune 100 companies.
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
The document discusses moving from traditional to modern operational models using real-time operations and DevSecOps. It promotes adopting PagerDuty to help with real-time operations by providing a platform for on-call management, event intelligence, visibility across 300+ integrations. Adopting cloud technologies provides an opportunity to redefine operational models to be more collaborative, automated, proactive and learning-focused.
Continuous Security / DevSecOps- Why How and WhatMarc Hornbeek
This presentation explains what Continuous Security / DevSecOps is, Why it is important, How it works and What you can do to realized a well-engineered DevSecOps solution in your own organization or enterprise.
This document discusses implementing a secure software development lifecycle (SDLC) to improve application security. It outlines why the traditional approach of only involving security experts does not work. Instead, it proposes integrating security practices throughout each phase of the development process, including requirements, design, implementation, verification, and release. This includes training developers, conducting threat modeling and security testing, using security tools in continuous integration, and analyzing results to address issues early. The goal is to reduce security defects over time by changing developer mindsets and integrating security as applications are built.
This talk by Stefan Streichsbier, Co-Founder of GuardRails.io, provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications.
To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.”
After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time.
The 3 core takeaways for the audience are:
1.) Where security practices have gone wrong so far.
2.) What new technologies will cause a paradigm shift in how security is applied at scale.
3.) How security will look like in 5-10 years.
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsDevOps.com
The traditional way of handling security issues in DevOps involves security teams analyzing vulnerabilities and opening issues/tickets, with closing the loop on resolutions being difficult. This model is changing as the cost of fixing later-stage defects rises significantly. The shift is toward DevSecOps where responsibility for application security moves to development teams. Developers are integrating security tools earlier in the software development lifecycle (SDLC) to enable a more secure-by-design approach. Effective DevSecOps requires tools that fit seamlessly into developer workflows and prioritize actual vulnerabilities over non-issues. It also demands integrating security practices into DevOps processes through agile methodologies and automation.
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
The year is 2031, how has software development and security evolved in the last decade? Are there any developers or security folks left? Have robots taken our jobs?
We will join Security Engineer Sam, that is responsible for securing a cutting edge application for a hot fintech company in the year 2021. The app has just completed a major release and Sam is sharing her progress and learnings with her peers at a local OWASP meetup. After a night of celebration she wakes up and finds her future self jumping out of a time-machine in her bedroom closet. Time travel paradoxes aside, the future of the world is at stake because a sentient A.I. is threatening to hack the planet. There is a small task force that has been working for a decade on finding a way to finally solve secure software development, and they have done it! There is no time to waste, you are joining your future self to go to the year 2031 and learn what they have learned to bring that knowledge back to present and avoid the dark future from ever happening.
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they?
In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about:
The current challenges of the security and development teams when it comes to AppSec
The contradicting views and gaps between the teams on DevSecOps maturity
How to break the silos and advance toward DevSecOps maturity
Taking Open Source Security to the Next LevelWhiteSource
Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future.
Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.
This document summarizes the PIACERE project, which aims to integrate security into DevSecOps processes. It receives funding from the EU Horizon 2020 program. The project develops tools like the DevSecOps Modeling Language (DOML) and Verification Tool to integrate security principles into infrastructure modeling and deployment. It also includes a Canary Sandbox Environment for testing deployments and an Infrastructure Optimization Platform for optimizing cloud resources. The overall goal is to provide a unified platform for secure, automated deployment to multiple clouds.
The document announces events from DevSecOps Singapore to bring together developers, operations, and security professionals. It describes monthly meetups for talks and networking, workshops over 4 months on integrating security testing into the SDLC, and an annual conference in 2017. It provides announcements for the workshops and conference and calls for speakers, office space, and volunteers to help build the community.
Link to Youtube video: https://youtu.be/-awH_CC4DLo
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Basic Introduction to DevSecOps concept
Why What and How for DevSecOps
Basic intro for Threat Modeling
Basic Intro for Security Champions
3 pillars of DevSecOps
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
How to integrate security in CI/CD pipeline
Open Source Security at Scale- The DevOps Challenge WhiteSource
It’s no secret that open source components form the backbone of today’s software, comprising between 60-80% of modern applications. But with this, comes the alarming rise in open source vulnerabilities – more than 3,500 open source vulnerabilities were reported in 2017 – that’s 60% higher than the previous year, and the trend continued in 2018.
The question arises: how can DevOps teams ensure a visible and continuous delivery pipeline for software releases without letting security slow them down?
Join WhiteSource’s Product Manager, Shiri Ivtsan, as she discusses:
- The current state of open source vulnerabilities management;
- The latest innovations in the open source security world; and
- The best DevOps tools to protect organizations against open source vulnerabilities and ensure agility, visibility and control regarding their open source.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
Daniel Kefer from 1&1 Internet AG presented on 1&1's secure software development lifecycle (SDLC). He began by introducing himself and 1&1. He then discussed the motivation for a secure SDLC, noting the higher costs of fixing bugs later in development. Kefer outlined the common approaches to application security as intuitive, reactive, or proactive. 1&1 aims to take the proactive approach through their SDLC methodology. He described their methodology, including classifying systems based on risk level and assigning different security requirements at each level across both the development lifecycle and technical categories. Kefer finished by discussing 1&1's plans to expand usage and continuous improvement of their SDLC methodology.
This document provides guidance on building an application security program. It discusses common application security threats and vulnerabilities. The goal of application security is to reduce application risks. Methods include static code analysis, dynamic testing, and manual verification at different stages of the software development lifecycle. The document recommends starting simple, setting policies and standards, scaling application security as development scales, and verifying third party applications. It emphasizes the importance of continuous improvement, metrics, and alignment with development processes.
Tackling the Risks of Open Source Security: 5 Things You Need to KnowWhiteSource
This document discusses open source security risks and provides recommendations. It contains 5 sections:
1. Open source risk is on the rise as open source code accounts for 60-80% of software and reported vulnerabilities are increasing.
2. Developers must change their mindset as open source vulnerabilities differ from proprietary vulnerabilities in detection, publicity and remediation.
3. Prioritizing security vulnerabilities is key as developers spend too much time on ineffective vulnerabilities.
4. Security responsibilities must be delegated between security, DevOps and developers to bridge gaps.
5. Shifting security left by empowering developers and integrating tools earlier can turn developers into advocates and detect issues cheaper.
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...WhiteSource
The best approaches and practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising on security.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
The document discusses the Secure Software Development Life Cycle (SSDLC) and provides recommendations for developers to integrate security into their processes. It recommends that developers understand common threats, perform penetration testing, implement logging of abnormal activity, secure all inputs and outputs, and consider security requirements throughout the entire development cycle from design to deployment. The document emphasizes that software security is important and is everyone's responsibility.
Talk to executives in IT divisions of large enterprises about security and invariably the conversation will hover around
DevSecOps pipeline.
Is DevSecOps the only thing you need to do for security in your IT division or is there more?
What impact does bringing in secure culture in an engineering context mean?
What handshake is needed between the IT function and the security / risk function for large enterprises?
How does this impact roles and responsibilities of a developer?
This talk is an attempt to answer questions such as these using a real world examples of transformations seen in Fortune 100 companies.
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
The document discusses moving from traditional to modern operational models using real-time operations and DevSecOps. It promotes adopting PagerDuty to help with real-time operations by providing a platform for on-call management, event intelligence, visibility across 300+ integrations. Adopting cloud technologies provides an opportunity to redefine operational models to be more collaborative, automated, proactive and learning-focused.
Continuous Security / DevSecOps- Why How and WhatMarc Hornbeek
This presentation explains what Continuous Security / DevSecOps is, Why it is important, How it works and What you can do to realized a well-engineered DevSecOps solution in your own organization or enterprise.
This document outlines an approach for integrating security into the software development lifecycle (SDLC) using DevSecOps principles. It discusses how security can shift left by being incorporated into various phases of product development and delivery, including product management, design, development, deployment, defect management, and monitoring. It provides examples of how to integrate security practices and tools at each stage. The goal is to establish security as a critical product feature rather than an afterthought, and foster collaboration between security and development teams through a DevSecOps model and maturity criteria.
This document provides an overview of application security challenges and trends. It discusses how attacks have moved to target applications directly rather than just infrastructure. It also notes that security is often an afterthought for developers focused on speed and that maturity varies. Key trends include shifting security left in the development process, addressing open source risks, and leveraging tools like machine learning. Stakeholders have different priorities around protecting the organization versus meeting deadlines. Primary use cases involve finding and fixing vulnerabilities throughout the development lifecycle. The Fortify platform aims to provide application security that scales with development needs.
This document provides an overview of application security and the Fortify portfolio. It discusses growing application security challenges such as attacks targeting the application layer. It also reviews key application security trends like shift left development and cloud transformation. The document outlines primary customer use cases and priorities around securing applications. Additionally, it summarizes the Fortify product offerings and how the portfolio addresses application security needs. Examples of Fortify customer success are also provided along with insights into the competitive application security market.
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfMobibizIndia1
DevSecOps is a development methodology that combines security measures at every stage of the software development lifecycle in order to provide reliable and secure systems. DevSecOps, in general, increases the benefits of a DevOps service.
DevSecOps Best Practices-Safeguarding Your Digital Landscapestevecooper930744
DevSecOps best practices help us to understand the culture and mindset, security, measuring and collecting data, training on secure coding, and security automation.
DevSecOps - It can change your life (cycle)Qualitest
QualiTest explains how a secured DevOps (DevSecOps) delivery process can be achieved using automated code scan, enabling significant shift left of issues detection and minimizing the time to fix. Whether you are considering DevSecOps, on the path, or already there, this slide is for you.
For more information, please visit www.QualiTestGroup.com
In 1993 the Telecommunications Information Networking Architecture Consortium (TINA-C) defined a Model of a Service Lifecycle that combined software development with (telecom) service operations.[7]
In 2009, the first conference named devopsdays was held in Ghent, Belgium. The conference was founded by Belgian consultant, project manager and agile practitioner Patrick Debois.[8][9] The conference has now spread to other countries.[10]
In 2012, the State of DevOps report was conceived and launched by Alanna Brown at Puppet.[11][12]
As of 2014, the annual State of DevOps report was published by Nicole Forsgren, Gene Kim, Jez Humble and others. They stated that the adoption of DevOps was accelerating.[13][14] Also in 2014, Lisa Crispin and Janet Gregory wrote the book More Agile Testing, containing a chapter on testing and DevOps.[15][16]
In 2016 the DORA metrics for throughput (deployment frequency, lead time for changes), and stability (mean time to recover, change failure rate) were published in the State of DevOps report.
The motivations for what has become modern DevOps and several standard DevOps practices such as automated build and test, continuous integration, and continuous delivery originated in the Agile world, which dates (informally) to the 1990s, and formally to 2001. Agile development teams using methods such as extreme programming couldn't "satisfy the customer through early and continuous delivery of valuable software"[19] unless they subsumed the operations / infrastructure responsibilities associated with their applications, many of which they automated. Because Scrum emerged as the dominant Agile framework in the early 2000s and it omitted the engineering practices that were part of many Agile teams, the movement to automate operations / infrastructure functions splintered from Agile and expanded into what has become modern DevOps. Today, DevOps focuses on the deployment of developed software, whether it is developed using Agile oriented methodologies or other methodologies.
DevSecOps is an augmentation of DevOps to allow for security practices to be integrated into the DevOps approach. Contrary to a traditional centralized security team model, each delivery team is empowered to factor in the correct security controls into their software delivery. Security practices and testing are performed earlier in the development lifecycle, hence the term "shift left" can be used. Security is tested in three main areas: static, software composition, and dynamic.
Checking the code statically via static application security testing (SAST) is white-box testing with special focus on security. Depending on the programming language, different tools are needed to do such static code analysis. The software composition is analyzed, especially libraries and their versions are checked against vulnerability lists published by CERT and other expert groups. When giving software to clients, licenses and its match to the one of the software distribute
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
DevSecOps is gaining popularity to recent years, thanks to the rapid expansion and adoptions of DevOps. The traditional penetration testing is considered a blocker in a rapid CI/CD deployment. So integrating security in a seamless manner is considered an important upgrade to the DevOps environment.
However, the traditional DevSecOps require huge amount of time, money and effort to implement. Traditional and DevSecOps principle is a culture that depends on teamwork between, the Dev ,Sec, and Ops team, which in real life situation its pretty difficult to realize.
This talk is about how to minimize the whole effort to implement DevSecOps in the current DevOps environment.
This document discusses succeeding in the marriage of cybersecurity and DevOps. It outlines five keys to a successful marriage: 1) establish a common process framework; 2) commit to collaboration; 3) design for security from inception; 4) strive to automate security processes; and 5) continuously learn and innovate. The document provides examples of how tools like Espial can help automate and integrate security testing into the development pipeline to enable continuous detection and faster remediation of vulnerabilities.
DevOps security (DevSecOps) is an extension of DevOps that integrates security practices into the software development lifecycle. It addresses challenges like securing privileged credentials and tools used in DevOps environments. DevSecOps works by implementing security policies as code, separating duties between developers and security teams, and integrating security checks into continuous integration/delivery pipelines. Automating security mechanisms and taking a proactive security approach are also important for DevSecOps.
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
Respresenting Cyber Defense Community (cdef.id) to present and share my view on Secure DevOps / DevSecOps. Through this presentation, I shared several insights about:
1. How to balance the risk and controls in the "great shift left" paradigm (agile)
2. DevOps activities
3. How to seamlessly integrate security into DevOps
4. How to "shift left" the security"
5. Get started with Secure DevOps / DevSecOps
6. Case Study about DevSecOps implementation
For further discussion, especially how to secure digital and agile transformation in your organization, don't hesitate to contact me :)
DevOps Security: How to Secure Your Software Development and DeliveryDev Software
Software development and delivery is a complex and dynamic process that requires collaboration, automation, and quality. To meet the increasing demands of customers and businesses, software teams need to deliver software faster and more efficiently. But they also need to ensure that the software is secure and reliable.
DevOps security, also known as DevSecOps, is a practice that integrates security into every stage of the software development lifecycle, from planning to deployment and beyond. DevOps security aims to improve efficiency and reduce risk by making security a shared responsibility for developers, IT operators, and security specialists.
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
Your organization has already embraced the DevOps methodology? That’s a great start. But what about security?
It’s a fact - many organizations fear that adding security to their DevOps practices will severely slow down their development processes. But this doesn’t need to be the case.
Tune in to hear Jeff Martin, Senior Director of Product at WhiteSource and Anders Wallgren, VP of Technology Strategy at Cloudbees, as they discuss:
- Why traditional DevOps has shifted, and what this will mean
- Who should own security in the age of DevOps
- Which tools and strategies are needed to implement continuous security throughout the DevOps pipeline
DevOps is a software development approach that aims to shorten the systems development life cycle and provide continuous delivery with high software quality. It focuses on collaboration between development and operations teams. Key aspects of DevOps include automation of the software delivery process through tools like Docker and Jenkins, continuous integration and deployment, and monitoring of applications in production. While DevOps can improve speed and collaboration, security challenges arise from development teams prioritizing speed over security and keeping up with the fast pace of changes. Adopting DevSecOps practices like automation, clear security policies, and vulnerability management can help integrate security into the DevOps process.
A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
Similar to Secure DevOPS Implementation Guidance (20)
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Secure DevOPS Implementation Guidance
1. Tej Luthra, VP Engineering, Product Development
Secure DevOPS
Awareness & a Guide to
Practical Implementation
Devesh Arora, Director of Engineering, Product Development
2. Secure DevOPS: Awareness & a Guide to Practical Implementation
Merlin
International
June 30, 2019 2
Enables Veterans Affairs with an IoT cybersecurity
solution for 1.65 million network-connected devices
Supports Department of Defense with day-to-day
network operations
Helps federal agencies with secure, economical, and
environmentally friendly consolidated data center
services
Enables HHS CSIRC to build an enterprise-wide view of
cybersecurity for rapid threat assessment and disposition
4. Secure DevOPS: Awareness & a Guide to Practical Implementation
What is DevOPS
DevOps is agile on steroids
As a methodology to build software fast
Accelerates the velocity with which products are deployed to customers
DevOps begins with all things continuous
•Continuous Integration (CI) is the principle that code changes are checked into the source code repository in
small batches
•Continuous delivery and deployment are principles for how the results of testing are reviewed, and system
automatically makes decision as to what to do with the build
•Continuous Testing, Quality, Security, Governance, and so on …
5. Secure DevOPS: Awareness & a Guide to Practical Implementation
Businesses need
to accelerate
the delivery of
applications
Focuses on quickly moving new features out to the customers
Give Dev teams capability to deploy quickly and continuously
… and the responsibility to support code in production
Tear down the traditional silos of IT, namely between development and operations
Puppet Labs
200x increase in speed from code commit to deploy
30x more frequent deployments
60% fewer production failures
Bank of America
6x reduction in production defects
Ticket Master
Reduced Mean Time to Repair by 90%
Source: https://www.slideshare.net/AndersLundsgrd/the-devops-journey-in-an-enterprise-scania-swisscom-software-day-2016
Why DevOPS
6. Secure DevOPS: Awareness & a Guide to Practical Implementation
Route to Secure DevOPSWhy
• Criminals & hackers
focus on weakness
• A part of your security
strategy
• Constantly Evaluate
Business Risks
• Federal, State, Local,
Regulatory Challenges
• Believed too costly
• Split between
Functionality and Speed
• Private / Behind a
firewall
• Find and Fix
• Tools and Resources
Considerations
• Risk Assessments
• Policy – Procedures –
Processes
• Regulatory – PCI, HIPAA,
FISMA
• Physical Infrastructure
• Methodology
• Data Strategy
• Threat Modeling
• Testing
Source: https://www.cisecurity.org/webinar/foundations-of-an-application-security-program/
7. Secure DevOPS: Awareness & a Guide to Practical Implementation
Security within the end-to-end product lifecycle
Continuous Integration Continuous Deployment and Delivery
Continuous Security Feedback
Security
Considerations
Design and
Tested
Security
hardened
Security controls Monitoring
8. Secure DevOPS: Awareness & a Guide to Practical Implementation
Common Requirements
• Access Control
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Security Assessment
• System & Comm. Protection
• System & Information Integrity
9. Secure DevOPS: Awareness & a Guide to Practical Implementation
Identify known vulnerabilities
Use of reusable libraries and frameworks
The amount of custom code is reducing considerably
Open-source software (OSS) presents a unique challenge
10. Secure DevOPS: Awareness & a Guide to Practical Implementation
Secure Configurations for HW & SW
Known vulnerabilities
Use custom hardened system images
Center for Internet Security (CIS)
CICD Tools simplify process of rolling out
11. Secure DevOPS: Awareness & a Guide to Practical Implementation
Continuous Vulnerability Assessment and Remediation
Keep up with new Vulnerabilities
Reuse of Automation Framework
AB Testing and Blue Green Deployment
Scanning during Development
37 Vulnerabilities
Return time
15 ms
# errros/1000: 300
Visits / user 50
2
Vulnera
bilities
Return
time 25 ms
#
errros/10
00: 100
Visits / user 150
Patch Set A: Patch Set B:
12. Secure DevOPS: Awareness & a Guide to Practical Implementation
Application Software Security
Vulnerabilities found in 98% of apps
Security assessments
CICD Tools Advantages
Run Additional Test in Staging in parallel
Trustwave Global Security Report
13. Secure DevOPS: Awareness & a Guide to Practical Implementation
Controlled Use of Administrative Privileges
The DevOps model
Controlling administrative credentials becomes even more important
In an “infrastructure as code” environment, the code itself acts as a privileged user
Other systems provide ways to manage their own secrets
Lack more advanced features
14. Secure DevOPS: Awareness & a Guide to Practical Implementation
OWASP Top 10 Project Guidelines
•Threat modeling scenarios
SQL injection
Cross-site scripting Cross-site request forgery
Broken authentication and session management
Unsecure direct object references
Security misconfiguration
Foundational security hygiene
Embedded keys or credentials in the application
System patching
Target high value assets
15. Secure DevOPS: Awareness & a Guide to Practical Implementation
Tooling that can help
• Identify actual and potential coding issues, including those identified in OWASP
• YASCA, HP Fortify, IBM AppScan, VisualCodeGrepper, Nessus, OpenSCAP, Black Duck, SonarQube ….
BlackDuck
• scans and
manages
opensource
software
• supports
mixed
LDAP/DB auth,
• good UI
LAPSE
• OWASP
Security
Scanner
• Java EE
Nessus
• system
vulnerabilities
• missing
patches
• non-compliant
system
configurations
OpenScap
• utilizes XCCDF
• system
configurations
for the
operating
system against
an established
checklist
profile
ClamAV
• antivirus
scanner for
Linux
operating
systems
Windows
Defender
• antivirus
scanner for
Windows
operating
systems
Note: This is not an endorsement of any tools. The reader is encouraged to evaluate each tool independently.
16. Secure DevOPS: Awareness & a Guide to Practical Implementation
Conclusion
Security is not an afterthought
Integrating security into DevOps requires changing mindsets
Information security must adapt to development processes and tools
Regulated environment, DevOPS needs to evolve quickly
Host of new security tools adapted for DevOps environments
There is need for Best Practices
https://www.forbes.com/sites/stevedenning/2016/08/13/what-is-agile/
Agile’s emergence as a huge global movement extending beyond software is driven by the discovery that the only way for organizations to cope with today’s turbulent customer-driven marketplace is to become Agile. Agile enables organizations to master continuous change. It permits firms to flourish in a world that is increasingly volatile, uncertain, complex and ambiguous.
“What if we could create workplaces that drew on all the talents of those doing the work? What if those talents were totally focused on delivering extraordinary value to the customers and other stakeholders for whom the work is being done? What if those receiving this unique value would be willing to offer generous recompense for it? What would these workplaces look like? How would they operate? How would they be reconciled with existing goals, principles and values? Could they operate at scale? If so, would the answers have implications for all organizations, not just software development?”
Scaled Agile Framework: SAFe
https://www.scaledagileframework.com/what-is-safe/
Scaled Agile Framework®, also known as SAFe® , is an enterprise-scale development methodology, developed by Scaled Agile, Inc. SAFe combines Lean and Agile principles within a templated framework.
Businesses need to accelerate the delivery of applications
Focuses on quickly moving new features out to the customers
Not about specific tools, but improves adoption
Bringing teams together, agile on steroids
Organized not from a project delivery standpoint, but have a more product delivery focus
Give Dev teams capability to deploy and the responsibility to support code in production
Tear down the traditional silos of IT, namely between development and operations
Aims at removing bottlenecks, conflicts, and risk from the lifecycle between business decision and customer outcome
The 2015 Puppet Labs State of DevOps Report shows organizations achieving
200x increase in speed from code commit to deploy
30x more frequent deployments
60% fewer production failures
Bank of America cites
6x reduction in production defects
Ticketmaster
Reduced their Mean Time to Repair by 90%
Businesses are looking to accelerate the delivery of production quality software with fewer defects, and better security. Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into production. The rapid automation of the integration and deployment activities is common especially on cloud-based platforms. Adding security testing into the DevOps pipeline can help address the needs of regulated, compliance and public sector focused organizations. This white paper describes the use of open source technologies and commercial packages to design and deploy a Secure DevOps pipeline. Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated with vulnerability scanners such as Tenable Nessus, HP Fortify and others provide a robust SecDevOps implementation.
Since the first DevOps Days conference was held in 2009, adoption of DevOps strategies has been growing rapidly, with 25% of global IT companies predicted to have moved towards DevOps by 2016 (Gartner, 2015). The very definition of DevOps is still evolving, but most agree it encompasses a set of cultural values in addition to the tools and practices that enable continuous delivery (Loukides, 2015). Continuous delivery provides a competitive advantage to software companies (Humble, 2014) by lowering the risk and cost associated with releases. It also enables near-immediate feedback on new features; practicing continuous delivery requires collaboration and empathy amongst the teams involved in the delivery process (Fowler, 2013).
Configuration management systems automate the provisioning of new systems, enforcing consistent application installation, system and application configuration across classes of servers. The configuration information lives in a source code repository, and systems such as Chef, Puppet, Salt, or Ansible allow developers to treat the configuration of the servers that will run application software as code. This “infrastructure as code” can itself be versioned and tested, providing assurances that identical configurations will be in place everywhere, and improving the odds that software that tested fine in the staging system will be fine in production as well (Riley, 2014). Finally, an automated system for reliably moving software through the build -> deploy -> test -> release process is the key component (Humble & Farley, 2010) in any DevOps system. Continuous integration tools such as Jenkins make a formerly slow and error-prone task easy and repeatable, enabling the deployment of small changes and giving fast feedback about how the code operates and what customers think about new features.
DevOps is becoming the preferred approach for the rapid development and continuous delivery of these new IT-enabled capabilities. Implemented correctly, DevOps offers IT organizations improved speed of development by embracing a collaborative philosophy that tears down traditional silos of development and operations. However, in most cases, security and compliance have been afterthoughts to DevOps.
Why
Criminals & hackers focus on weakness
Leads to breaches
A part of your security strategy
Constantly Evaluate Business Risks
Federal, State, Local, Regulatory
Challenges
Believed too costly
Split between Functionality and Speed
Private / Behind a firewall
Find and Fix
Tools and Resources
Considerations
Risk Assessments
Policy – Procedures – Processes
Regulatory – PCI, HIPAA, FISMA
Physical Infrastructure
Methodology
Data Strategy
Mapping, Collection, Storage, Cleaning
Decommissioning and Retention
Threat Modeling
Testing
CI:
Frequent Code Check-ins
Focus on Code Quality
Automated Tests
Find & Fix Bugs/Issues Soon
CD
Begin each software development project by first creating the supporting CI pipeline to ensure that the necessary resources are in place before development begins.
Begin the process of building your CI pipeline by specifying the desired outcomes to be achieved and the required artifacts to be generated. Next, assess and document your current build process and infrastructure. Use the first two steps to redesign your process to ensure that the CI pipeline delivers the necessary results.
Establish baseline metrics — such as frequency and execution time of application builds, build and deployment failures, and repeated errors — before integrating each application, and monitor those metrics throughout the application life cycle. Use the baseline metrics to evaluate the success of each change, and adapt when changes to the process don't deliver the expected benefits.
Choose an application with established (but not yet automated) build and deployment processes as your pilot. As the process matures, expand the process to other applications that are supported by your development organization.
Challenges
audit of a security program
relative immaturity and lack of corporate backing
Tools new to the market or are open-sourced
reliance on IaaS and PaaS reduces control and visibility at the hardware and network layer
the flexibility of Cloud providers to quickly scale up and down
Make them attractive in DevOps environments
The CI/CD or DevOps Security lifecycle begins with code development and integration. As the code is
committed for deployment, the CI/CD security processes are activated. Common action items
including static code analysis, vulnerability scanning, anti-virus scans and other similar integrity
functions. The results from the security scans are provided to project management and the Chief
Information Security Officer (CISO) within the organization.
In order to comply with NIST requirements for applying secure engineering principles, application developers should utilize code analysis utilities to ensure safe coding practices are followed. Project teams should leverage code analysis utilities as early as possible in the development lifecycle.
the project will experience fewer delays and incidents of rework due to flaws and other security concerns
At a minimum, code analysis should be performed as code modules are completed, but it is not necessary for modules to be completely finished for code review to be useful.
Commit Code to CI/CD
s application code is committed to the CI/CD branch in the git repository CI/CD performs a security review utilizing automated static code analysis tools.
Compliant Architecture
Identify compliance & requirements first
Select eligible services through trusted sources and suppliers
Create cloud-native solution architecture
Continuous Monitoring and Management
Implement tools for governance, security and cloud operations
Define processes and assign roles
Define artifacts and operate against SLA’s
Accreditations and Authorization
Document system security plan
Create security backlog in plan of actions and milestones
Incident response plan
Use of reusable libraries and frameworks
This leads to a shift in focus for security scanning
Majority risk can be addressed by identifying known vulnerabilities & misconfiguration
Vulnerability assessment vendors are adapting their scanning capabilities
Some toolchain element vendors like Docker are integrating this capability
The importance of this best practice cannot be understated
Breach at Equifax may have had a root cause of a known vulnerability issue in Apache Struts, as stated by Equifax. Likewise OpenSSL's Heartbleed
Open-source software (OSS) presents a unique challenge
The developer may simply cut and paste source code
Once hardened configurations for operating systems and application components are developed, DevOps deployment tools and configuration management services like Puppet, Chef, Ansible and Salt greatly simplify the process of rolling these out to all systems and keeping the configurations in sync over time
Docker and other container technologies are increasingly popular methods for deploying applications in DevOps environments, due to advantages in portability, efficiency in resource sharing and speed of deployment
Docker also offers some security advantages, in the form of increased isolation of applications, particularly in multiWtenant environments
Docker images, however, cannot be patched and updated or have running configuration changed on the fly; updated software or secure configuration must be baked in as part of the image build and new containers Deployed leading to situations where multiple container versions of varying security may be running
https://www.cisecurity.org/benchmark/docker/
Continuous Vulnerability Assessment and Remediation
Challenge: Keeping up with relentless pace of newly announced vulnerabilities
however, the focus on automation, testing, and continuous monitoring in DevOps environments can be advantageous;
the same systems that allow automated deployments of new application code via thorough unit and functional testing provide a strong foundation for testing new patches
Deployment strategies for Blue Green deployments and A/B testing allow gradual rollout and immediate feedback regarding issues and changes in system behavior
Security scans that happen as part of the deployment process provide verification that updates address known issues and reach all intended targets
Trustwave Global Security Report
Vulnerabilities were found in 98% of the applications scanned
Data leakage, cross-site scripting, SQL injection and authorization, among others
Security assessments - PenTesting
CICD Tools Advantages
Jenkins, Hudson and similar tools provide easy support via plugins
Code review and for running static analysis as part of the pipeline
These acceptance tests should be designed to complete quickly and can be run before new code is even deployed to the integration/staging environment
Further security testing, such as tests of security related functionality, vulnerability scanning, and application security scans can then be run in parallel to other acceptance testing within the staging environment
In the DevOps model everyone has the potential to administer systems and debug production issues, controlling administrative credentials becomes even more important
In a continuous deployment, “infrastructure as code” environment, the code itself acts as a privileged user
These credential “secrets” must be used by the orchestration systems
Secrets Management systems aim to role based access control and auditability to the DevOps system
Configuration management systems like Chef and Puppet provide their own solutions for protecting secrets stored within the infrastructure code using public key encryption
Kack more advanced features such as role based controlled access to the secrets, or full featured support for rotating passwords and SSH keys
Secrets management systems like Hashicorp’s Vault and Conjur’s SSH Management solution provide methods to automatically provision temporary access via one-time passwords or SSH keys and to enable SSH key rotation for service accounts.
When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format. The Yasca results CSV file is further processed and formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard.
The OWASP Top 10 Project and similar publicly available guidelines are a great start.3 The training should include:
How to build and maintain simple threat modeling scenarios (thinking like a bad guy) Input whitelisting, filtering and sanitization for user input and files
SQL injectionCross-site scripting Cross-site request forgery
Broken authentication and session management
Unsecure direct object references
Security misconfiguration
Foundational security hygiene
Why not to embed keys or credentials in the application code or scripts
The importance of patching
How and why hackers will target admins for credential theft and how to avoid this
Plugins
Grep Plugin. Uses external GREPfiles to scan target files for simple patterns.
PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues.
JLint Plugin. Uses J-Lint to scan Java .class files for issues.
antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues.
FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues.
Lint4J Plugin. Uses Lint4J to scan Java .class files for issues.
Yasca plugins implement five (5) severity levels:
1 – Critical, 2–High, 3 – Warning, 4–Low, 5 – Informational
SonarQube implements five (5) severity levels:
• Blocker • Critical • Major • Minor • Info
https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security-tools/
When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format. The Yasca results CSV file is further processed and formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard.
The OWASP Top 10 Project and similar publicly available guidelines are a great start.3 The training should include:
How to build and maintain simple threat modeling scenarios (thinking like a bad guy) Input whitelisting, filtering and sanitization for user input and files
SQL injectionCross-site scripting Cross-site request forgery
Injection
Broken authentication and session management
Unsecure direct object references
Security misconfiguration
Foundational security hygiene
Why not to embed keys or credentials in the application code or scripts
The importance of patching
How and why hackers will target admins for credential theft and how to avoid this
Plugins
Grep Plugin. Uses external GREPfiles to scan target files for simple patterns.
PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues.
JLint Plugin. Uses J-Lint to scan Java .class files for issues.
antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues.
FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues.
Lint4J Plugin. Uses Lint4J to scan Java .class files for issues.
Yasca plugins implement five (5) severity levels:
1 – Critical, 2–High, 3 – Warning, 4–Low, 5 – Informational
SonarQube implements five (5) severity levels:
• Blocker • Critical • Major • Minor • Info
Integrating security into DevOps to deliver "DevSecOps" requires changing mindsets, processes and technology
Security and risk management leaders must adhere to the collaborative, agile nature of DevOps to be seamless and transparent in the development process, making the Sec in DevSecOps silent.
If adopting a DevOPS framework, Information security must adapt to development processes and tools, not the other way around. But it doesn’t mean
Organizations producing new applications and services using DevOps have the same responsibility to produce secure and compliant code as required by any other application.
The success of the DevOps movement means that DevOps practices are being adopted by diverse organizations, from small startups to Fortune 500 companies. As the movement matures, security is no longer an afterthought and consensus is building about the right ways to integrate security best practices into the DevOps cultural and technical evolution.
explosion in the numbers of tools available to help secure DevOps environments, from repository firewalls (Weeks, 2015) to new application scanners and security functional test infrastructures (DeVries, 2015), to new SSH Management solutions and the ability to scan Docker containers (Doran, 2015).
DevOps philosophy and the typical microservices architecture is the freedom to choose the tools that are best for a particular culture and environment
In a regulated environment, DevOps teams will need to involve security early in the process to ensure a smooth deployment for new features
the opportunity for greater collaboration with security teams can only be a positive Step
The glut of new security tools adapted for DevOps environments has the ability to provide new levels of visibility and automation for implementing security controls.
Such new tools may not be fully mature, however, and may have flaws or lack features present in more established products. There is also a lack of precedent when it comes to using such tools for audit against security standards. As the shift towards DevOps continues, we can expect increased maturity for DevOps security tools and best practices that should make implementation of these important controls easier in the future.
from a security perspective, this mindset can be advanced and has the potential to radically improve security by proactively "killing" workloads and replacing them with versions from a known good state