DevSecOps

About me
Venkat Reddy Sree Puram
National Technical Committee member - NCDRC
Steering Committee Member - NISS 2017
Chapter Lead - Hackers Day(Hyderabad Chapter)
Security Analyst - ——————————————
Certifications - *******************
Performs Vulnerability Assessment and Pen-test on
WebApplications
Servers
Mobile Applications

Agenda
Software Development Evolution
a. Waterfall
b. Agile
Introduction to DevOps
DevOps Process
Dark Launching Technique? Implementation in Facebook
DevSecOps
SAST,DAST and SIEM tools
Demo on IBM App scan integration with Jenkins
Cost of Security Bug at different environments and bug bounty
programs initiation
Automating Security Using SAST, DAST and SIEM tools

Software development evolution
DevSecOps
Waterfall
Agile
DevOps

Waterfall Model
Requirements
Design
Testing
Implementation
Deployment
Maintenance

Waterfall Model
PROS
This model is simple and easy to understand and use.
It is easy to manage due to the rigidity of the model(specific deliverables)
Waterfall model works well for smaller projects.
CONS
Poor model for long and ongoing projects.
No working software is produced until late during the life cycle.
High amounts of risk and uncertainty.
Clients requirements may change

Requirements
R 1
S 1
R nR 3R 2 ………
S 3
S 2
S 1 S 3
S 2
R - Release
S - Sprint

Agile
PROS
Responding to change as required by clients
Faster review cycles (2 to 5 sprints)
Less up-front work
Software will be delivered in shorter time
CONS
Lack of Understanding
Lack of predictability
Gap between two teams

DevOps
Why DevOps Came into Picture?
DevOps is a software development method that highlights collaboration
and open communication between teams(reduce the gap between teams).
DevOps is about Process
DevOps is about Connections
DevOps is about Tools
DevOps is about Automating everything
Continuous Software delivery

DevOps
What Happens in DevOps?
Automate everything using tools
➢ Continuous development
➢ Continuous integration
➢ Continuous testing
➢ Continuous deployment
➢ Continuous monitoring
Finally,
➢ Greater Customer Satisfaction
➢ Increased Productivity

Planning Phase
In the planning phase all the details related to current build will be
logged in the JIRA and Yutrack

Development Phase
For source code management we have GIT and SVN. These tools help us
in maintaining the code throughout the development lifecycle.

Build Phase
They help you package your code into executable files which can then be
produced into the testing environment.

Testing Phase
For Continuous testing we will use Robotic Automations and some other
reusability code.

Release Phase
For the release phase, automate tools like bamboo are used in the releasing
a build.

Deployment Phase
After the code is tested and ready it will be deployed into production or
the non-developer machine at this stage.

Operations Phase
In the operations phase everything will be monitored by using Security
Incident and Event management (SIEM tools) for security alerts and
misbehaviour of application.

Monitoring Phase
In the monitoring phase, continuous feedbacks will be taken from
customers and also will be monitoring them.

Is every thing Fine
Any challenges
Load on server
scalability issues
Security Issues

What if a new feature is released
and all the client wants to use
the feature at the same time?

Facebook Use case
Facebook
Deployments and Release world wide Servers Meltdown
Multiple
Features

Dark Launching Technique
It is a technique in which the features are deployed to a small
user base.
This user base is continuously monitored and their feedback is
taken and the features are made better by continuous
development and testing.
Facebook, Google, Amazon and Netflix are just a few of them

Dark Launching Technique
Facebook
Features
Phase 1
Phase 2
Phase 3

Facebook
Status
Features
Users
Updated
Features
Status
Users
Continuous Development and Testing
Continuous Monitoring
Continuous
Integration
Continuous
Deployment

Cost of a Security Bug for Fixing

DevSecOps
DevSecOps Continuous Security:
In DevOps we are automating everything including continuous
deployments. The concept is to integrate Security Tests and Scans in
the continuous process by Automating SAST,DAST and SIEM tools.

SAST
SAST(Static application security testing)
SAST is a set of technologies designed to analyse application source code, byte code
and binaries for coding and design conditions that are indicative of security
vulnerabilities.
Developers write the source code and is checked into SVN or Git.
Before building the code, source code analysis is done by SAST to identify
vulnerabilities
If any Vulnerabilities observed by tool, Developers will be notified as build was
incomplete.

DAST
DAST:(Dynamic Application Security Testing)
DAST is completely a black box Security, it only injects input into Web Applications
and observes the behavior of the application by, again, only observing the external
outputs.
Thus, DAST tools can only point to vulnerabilities but, in contrast to SAST, are
usually not able to provide information to developers on how to fix a detected
issue.
Vulnerability Scanners

Comparison
Coverage
Static Analysis
(SAST)
Dynamic Analysis
(DAST)
Pentest
(PT)
Custom Code 100% 25 25
Libraries 0 25 25
Frameworks 0 25 50
Application Server 0 25 50
Runtime Platform 0 25 50
Business issues 0 0 75

Reported XSS and SQL Injection flaws in ******** Router
Downloaded 2,80,000 students profiles from a exam vendor and
reported them.
Reported payment issues in 20+ applications, how was able to
purchase everything for 0.01 rupee.
Reported SQL injections in many university websites
Reported information leakage of internal employees data(mobile,
name, email, etc.) of popular wallet.
Etc……..
Submissions

Never report any vulnerability to the owner unless they announce
Bug Bounty Programme
Never hire any one for just managing/performing VA scans.
Never disclose vulnerability findings anywhere
Never trust VPN, TOR, Proxies (who knows vpn provides may share/
sell details by insiders or when did a social engineering attacks?
Do not do
SUGGESTION: Use Wi-Fi(VPN(TOR/Proxies)) + WarDriving

Vulnerable Web Applications(Offline)
Damn Vulnerable Web App (DVWA) - http://www.dvwa.co.uk/

bWAPP - http://www.mmeit.be/bwapp/

Foundstone Hackme Bank - http://www.mcafee.com/us/
downloads/free-tools/hacme-bank.aspx

OWASP Bricks - http://sourceforge.net/projects/owaspbricks/

sqli-labs - https://github.com/Audi-1/sqli-labs

PentesterLab - https://pentesterlab.com/

Foundstone Hackme Travel - http://www.mcafee.com/us/
downloads/free-tools/hacmetravel.aspx

DOWNLOAD FREE PROJECTS FROM GOOGLE

Vulnerable Web Applications(online)
IBM altoromutual - http://demo.testﬁre.net/

Acunetix acuforum - http://testasp.vulnweb.com/

Acunetix acublog - http://testphp.vulnweb.com/

HP freebank - http://zero.webappsecurity.com

NTOSpider Test Site - http://www.webscantest.com/


Vulnerable Operating System
Damn Vulnerable Linux - http://sourceforge.net/projects/
virtualhacking/ﬁles/os/dvl

Pentester Lab - https://www.pentesterlab.com/exercises

Metasploitable - http://sourceforge.net/projects/
virtualhacking/ﬁles/os/metasploitable/

Kioptrix - http://www.kioptrix.com/blog/


Vulnerable Mobile Applications
Damn Vulnerable iOS App (DVIA) - http://
damnvulnerableiosapp.com/

Hacme Bank Android- http://www.mcafee.com/us/
downloads/free-tools/hacme-bank-android.aspx

InsecureBank - http://www.paladion.net/downloadapp.html

Damn Vulnerable Android App (DVAA) - https://
code.google.com/p/dvaa/


DevSecOps

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to DevSecOps

Similar to DevSecOps (20)

Recently uploaded

Recently uploaded (20)

DevSecOps