SlideShare a Scribd company logo
DevSecOps
Deliver value faster safer
Peter Bink – September 2020
The DevXXXOps explosion
DataOps
DevSecOps
MLOps
GitOps
AIOps
DevDataOps
DesignOps
CloudOps
NoOps
WinOps
=
DevOps 2
DevTestOps
• Advanced Persistent Threat
Also lone wolves:
Gary McKinnon – “Your security is crap”
Source: https://www.varonis.com/blog/apt-groups/
Iran’s nuclear program
(Stuxnet) 2010
2014 – Sony
2016 – Bangladesh Bank
2017 - WannaCry
2016 – Hilary
Clinton
2019 –
Venezuelan
military
Cybercrime – who are they?
2019 – Toyota
data breach
FIG (fun, ideology, and grudge)
Other (errors, glitches, etc.)
And why do they do it?
Security Incidents – New Zealand
• NZX / Metservice / Mt Ruapehu parking / …?
• Lion brewery (AU) – website was changed so clients could order milk at a Sydney based consultancy firm. Lion
shut down their IT systems to stop the attack which impacted their supply.
• Blackbaud – US based provider of SaaS for a lot of universities worldwide, such as Auckland university. Data has
been stolen, ransom has been paid and data has been ‘destroyed’.
• The website of LPM Property Management - showed passports, drivers licenses, and other identity documents, of
New Zealanders and other nationalities.
• Contact details of people who have been in contact with New Zealand Police may have been breached.
• A KiwiSaver provider, Generate, has had its computer systems breached and the personal information of 26,000 of
its customers has been taken.
• …
• NZ Firearms register from NZ Police
• Tu Ora Compass health - Up to 1 million New Zealand patients' data breached in criminal cyber hack
2019
2020
“Applications are the weakest links”
53% of all breaches are caused by vulnerabilities in Applications
Source: 2020 State of application security, Forrester
Source: 2019 Data Breach Investigations Report, Verizon
‘Fun’ facts around data
breaches
Source: 2019 State of the software supply chain report, Sonatype
Source: 2020 State of application security, Forrester
Source: 2020 - 107 Must-Know Data Breach Statistics, Varonis
Source: 2019 Cost of a data breach report, IBM
Source: 2020 Top 5 cyber security stats, Cybersecurity ventures
“Open source continues to infect everything”
85% of your code is sourced from external suppliers
The average time to identify and contain a breach is 279 days
The average total cost of a data breach is $USD 3.92 Million
Cybercrime damage costs are predicted to hit US$ 6 trillion annually
Source: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Attack Example – 2017 Equifax data breach
US DOJ Indictment: https://www.justice.gov/opa/press-release/file/1246891/download
• In September 2017, credit reporting giant Equifax reported it had been hacked.
• 147.9 million people were affected (40% of US population).
• Names, date of births, drivers license numbers, and social security numbers
were stolen plus 200k credit card numbers.
• Cost Equifax 1.4 Billion.
• Attributed to the People’s Liberation Army (PLA),
the armed forces of the Peoples Republic of China.
• Specifically, the PLA’s 54th Research Institute, also
known as APT10.
• Apache struts vulnerability was not identified on the online dispute portal
• Attacker set up a web shell for persistence “Jquery1.3.2.min.jsp”
• Attacker was not detected immediately
• Individual databases were not segmented from each other
• Databases contained credentials for other servers/databases
US GAO Report: https://www.gao.gov/assets/700/694158.pdf
Attack Example – 2017 Equifax data breach
(CVE-2017-5638)
Attempts to exploit this vulnerability on your servers occur every day
(CVE-2017-5638)
Attack Example – 2017 Equifax data breach
‘Old’ way of working
Penetration testing provides assurance that a solution is secure in its
current state, at the current time, however:
• Any code change has the potential to introduce new vulnerabilities.
• Over time new vulnerabilities will be discovered in
libraries/frameworks.
• A security tester has a limited budget and limited time.
• It is expensive to fix issues or make design changes at the end of the
SDLC.
Finding & fixing security defects at the end of the SDLC
How to move security earlier in the SDLC??????
DevOps and security -
Challenges
• Continuous delivery / often deployments
o and the need for continuous security attention not always match
o and security architecture support for waterfall projects is not similar
• DevOps teams (autonomous) may lack security knowledge
• Use a lot of tooling, libraries and cloud may increase the security risks
• DevOps teams need the freedom to experiment to keep improving
• Empowered and autonomous team have a lot of rights
How this data breach could have been prevented:
Detecting Apache Struts CVE-2017-5638
• Library/Framework Vulnerability Scanning
• Container Vulnerability Scanning
• Static Application Security Testing
• Dynamic Application Security Testing
Designing systems that would be resilient to the Equifax attack
• Web Application Firewall & Virtual Patching
• Input Validation
• Restricting internet access on servers (Firewall/Proxy)
• OS/container Hardening
• Network Segmentation
• Secure Credential Storage (no passwords in databases)
• Ephemeral Environments
https://github.com/OWASP/ASVS
(CVE-2017-5638)
Attack Example – 2017 Equifax data breach
DevOps and security together:
DevSecOps
• Automated security checks can be built into the pipeline
• A lot of tools are available to address security concerns
• Sonarcube - SAST
• OWASP ZAP - DAST
• Whitesource Bolt - SCA
• Microsoft Security Code
• Codacy, Sonarcube, Snyk, Acunetix, logz.io, Contrast security, ….
• Organisations that have mature DevOps practices are 338% more likely
to integrate security across the SDLC (source: Sonatype DevSecOps community
survey 2018)
• Security patches and updates can be applied promptly
• Transparency and continuous improvement
• Long lived product teams: Security is everybody's responsibility
DevSecOps manifesto
Value things on the left over things on the right
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Source: https://www.devsecops.org/
What can be done in the
SDLC?
Shift left and right
Delivery
team
Version
control
Build Test Release Prod
Security training
Security requirements
Threat modelling
Architecture review
Code examples
OWASP Top 10
IDE plugins
Fail the build
SAST/DAST/IAST
Configuration analysis
Application module scanning
Threat modelling as unit test
Automated Pen testing
Static code analysis
Security policy testing
Configuration analysis
Security monitoring
Configuration monitoring
Solnet dev secops meetup
1. We are all responsible
So what is DevSecOps? ????
Questions
2. Engage InfoSec early and often
3. Use the right security tools right
‘Just’ DevOps….. with focus on
Stay safe!
We’re here to put our experience and know-how to work for
you and provide you with guidance. With us it’s about
collaboration and shared success.
Aotearoa is our home and we’ve been supporting enterprise
organisations for more than 15 years. We deliver advice and
solutions that work locally.
It’s critically important to us that you deliver successful
outcomes because there’s a great deal riding on it!
Deliver Value Faster Safer
• DevOps
• DevSecOps
• Site Reliability Engineering
Peter Bink
DevOps / DevSecOps
Grant Reid
DevOps / SRE
linkedin.com/in/grantreid/linkedin.com/in/peter-bink/
peter.bink@solnet.co.nz grant.reid@solnet.co.nz

More Related Content

What's hot

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
How to Rapidly Identify Assets at Risk to WannaCry Ransomware
How to Rapidly Identify Assets at Risk to WannaCry RansomwareHow to Rapidly Identify Assets at Risk to WannaCry Ransomware
How to Rapidly Identify Assets at Risk to WannaCry Ransomware
Qualys
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
Alert Logic
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Skybox Security
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
CR Group
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
Adrian Sanabria
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection
Netpluz Asia Pte Ltd
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nube
Cristian Garcia G.
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
Adrian Sanabria
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Priyanka Aash
 
Security Starts at the Endpoint
Security Starts at the EndpointSecurity Starts at the Endpoint
Security Starts at the Endpoint
Elasticsearch
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised Insider
Imperva
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
MarketingArrowECS_CZ
 

What's hot (20)

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
How to Rapidly Identify Assets at Risk to WannaCry Ransomware
How to Rapidly Identify Assets at Risk to WannaCry RansomwareHow to Rapidly Identify Assets at Risk to WannaCry Ransomware
How to Rapidly Identify Assets at Risk to WannaCry Ransomware
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 
Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nube
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
Security Starts at the Endpoint
Security Starts at the EndpointSecurity Starts at the Endpoint
Security Starts at the Endpoint
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised Insider
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
 

Similar to Solnet dev secops meetup

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
DaveEdwards12
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
tmbainjr131
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
devObjective
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
ColdFusionConference
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series Breakfast
CSO_Presentations
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Security Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-ServiceSecurity Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-Service
Marco Casassa Mont
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
itnewsafrica
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
Sanjeev Sharma
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
Adrian Sanabria
 

Similar to Solnet dev secops meetup (20)

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series Breakfast
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Security Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-ServiceSecurity Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-Service
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 seba
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 

Recently uploaded

ERP Software Solutions Provider in Coimbatore
ERP Software Solutions Provider in CoimbatoreERP Software Solutions Provider in Coimbatore
ERP Software Solutions Provider in Coimbatore
Nextskill Technologies
 
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docxComprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Aardwolf Security
 
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdfIoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
mohitd6
 
HIRE A HACKER FOR CHEATING HUSBAND/WIFE)
HIRE A HACKER FOR CHEATING HUSBAND/WIFE)HIRE A HACKER FOR CHEATING HUSBAND/WIFE)
HIRE A HACKER FOR CHEATING HUSBAND/WIFE)
josephinedrea942
 
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
confluent
 
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
singhlata50dh
 
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
3610stuck
 
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
aslasdfmkhan4750
 
welcome to presentation on Google Apps
welcome to   presentation on Google Appswelcome to   presentation on Google Apps
welcome to presentation on Google Apps
AsifKarimJim
 
Artificial intelligence in customer services or chatbots
Artificial intelligence  in customer services or chatbotsArtificial intelligence  in customer services or chatbots
Artificial intelligence in customer services or chatbots
kayash1656
 
Top Chinese Government-backed APT Groups
Top Chinese Government-backed APT GroupsTop Chinese Government-backed APT Groups
Top Chinese Government-backed APT Groups
SOCRadar
 
To Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance SheetsTo Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance Sheets
Task Tracker
 
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
ashiklo9823
 
Folding Cheat Sheet #7 - seventh in a series
Folding Cheat Sheet #7 - seventh in a seriesFolding Cheat Sheet #7 - seventh in a series
Folding Cheat Sheet #7 - seventh in a series
Philip Schwarz
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
akshesh doshi
 
當測試開始左移
當測試開始左移當測試開始左移
當測試開始左移
Jersey (CHE-PING) Su
 
GT degree offer diploma Transcript
GT degree offer diploma TranscriptGT degree offer diploma Transcript
GT degree offer diploma Transcript
attueb
 
Mobile App Development Company in Noida - Drona Infotech
Mobile App Development Company in Noida - Drona InfotechMobile App Development Company in Noida - Drona Infotech
Mobile App Development Company in Noida - Drona Infotech
Mobile App Development Company in Noida - Drona Infotech
 
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
OnePlan Solutions
 
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
norina2645
 

Recently uploaded (20)

ERP Software Solutions Provider in Coimbatore
ERP Software Solutions Provider in CoimbatoreERP Software Solutions Provider in Coimbatore
ERP Software Solutions Provider in Coimbatore
 
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docxComprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
 
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdfIoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
 
HIRE A HACKER FOR CHEATING HUSBAND/WIFE)
HIRE A HACKER FOR CHEATING HUSBAND/WIFE)HIRE A HACKER FOR CHEATING HUSBAND/WIFE)
HIRE A HACKER FOR CHEATING HUSBAND/WIFE)
 
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
 
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
 
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
 
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
 
welcome to presentation on Google Apps
welcome to   presentation on Google Appswelcome to   presentation on Google Apps
welcome to presentation on Google Apps
 
Artificial intelligence in customer services or chatbots
Artificial intelligence  in customer services or chatbotsArtificial intelligence  in customer services or chatbots
Artificial intelligence in customer services or chatbots
 
Top Chinese Government-backed APT Groups
Top Chinese Government-backed APT GroupsTop Chinese Government-backed APT Groups
Top Chinese Government-backed APT Groups
 
To Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance SheetsTo Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance Sheets
 
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
 
Folding Cheat Sheet #7 - seventh in a series
Folding Cheat Sheet #7 - seventh in a seriesFolding Cheat Sheet #7 - seventh in a series
Folding Cheat Sheet #7 - seventh in a series
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
 
當測試開始左移
當測試開始左移當測試開始左移
當測試開始左移
 
GT degree offer diploma Transcript
GT degree offer diploma TranscriptGT degree offer diploma Transcript
GT degree offer diploma Transcript
 
Mobile App Development Company in Noida - Drona Infotech
Mobile App Development Company in Noida - Drona InfotechMobile App Development Company in Noida - Drona Infotech
Mobile App Development Company in Noida - Drona Infotech
 
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
 
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
 

Solnet dev secops meetup

  • 1. DevSecOps Deliver value faster safer Peter Bink – September 2020
  • 3. • Advanced Persistent Threat Also lone wolves: Gary McKinnon – “Your security is crap” Source: https://www.varonis.com/blog/apt-groups/ Iran’s nuclear program (Stuxnet) 2010 2014 – Sony 2016 – Bangladesh Bank 2017 - WannaCry 2016 – Hilary Clinton 2019 – Venezuelan military Cybercrime – who are they? 2019 – Toyota data breach FIG (fun, ideology, and grudge) Other (errors, glitches, etc.) And why do they do it?
  • 4. Security Incidents – New Zealand • NZX / Metservice / Mt Ruapehu parking / …? • Lion brewery (AU) – website was changed so clients could order milk at a Sydney based consultancy firm. Lion shut down their IT systems to stop the attack which impacted their supply. • Blackbaud – US based provider of SaaS for a lot of universities worldwide, such as Auckland university. Data has been stolen, ransom has been paid and data has been ‘destroyed’. • The website of LPM Property Management - showed passports, drivers licenses, and other identity documents, of New Zealanders and other nationalities. • Contact details of people who have been in contact with New Zealand Police may have been breached. • A KiwiSaver provider, Generate, has had its computer systems breached and the personal information of 26,000 of its customers has been taken. • … • NZ Firearms register from NZ Police • Tu Ora Compass health - Up to 1 million New Zealand patients' data breached in criminal cyber hack 2019 2020
  • 5. “Applications are the weakest links” 53% of all breaches are caused by vulnerabilities in Applications Source: 2020 State of application security, Forrester Source: 2019 Data Breach Investigations Report, Verizon ‘Fun’ facts around data breaches Source: 2019 State of the software supply chain report, Sonatype Source: 2020 State of application security, Forrester Source: 2020 - 107 Must-Know Data Breach Statistics, Varonis Source: 2019 Cost of a data breach report, IBM Source: 2020 Top 5 cyber security stats, Cybersecurity ventures “Open source continues to infect everything” 85% of your code is sourced from external suppliers The average time to identify and contain a breach is 279 days The average total cost of a data breach is $USD 3.92 Million Cybercrime damage costs are predicted to hit US$ 6 trillion annually
  • 7. Attack Example – 2017 Equifax data breach US DOJ Indictment: https://www.justice.gov/opa/press-release/file/1246891/download • In September 2017, credit reporting giant Equifax reported it had been hacked. • 147.9 million people were affected (40% of US population). • Names, date of births, drivers license numbers, and social security numbers were stolen plus 200k credit card numbers. • Cost Equifax 1.4 Billion. • Attributed to the People’s Liberation Army (PLA), the armed forces of the Peoples Republic of China. • Specifically, the PLA’s 54th Research Institute, also known as APT10.
  • 8. • Apache struts vulnerability was not identified on the online dispute portal • Attacker set up a web shell for persistence “Jquery1.3.2.min.jsp” • Attacker was not detected immediately • Individual databases were not segmented from each other • Databases contained credentials for other servers/databases US GAO Report: https://www.gao.gov/assets/700/694158.pdf Attack Example – 2017 Equifax data breach (CVE-2017-5638)
  • 9. Attempts to exploit this vulnerability on your servers occur every day (CVE-2017-5638) Attack Example – 2017 Equifax data breach
  • 10. ‘Old’ way of working Penetration testing provides assurance that a solution is secure in its current state, at the current time, however: • Any code change has the potential to introduce new vulnerabilities. • Over time new vulnerabilities will be discovered in libraries/frameworks. • A security tester has a limited budget and limited time. • It is expensive to fix issues or make design changes at the end of the SDLC. Finding & fixing security defects at the end of the SDLC How to move security earlier in the SDLC??????
  • 11. DevOps and security - Challenges • Continuous delivery / often deployments o and the need for continuous security attention not always match o and security architecture support for waterfall projects is not similar • DevOps teams (autonomous) may lack security knowledge • Use a lot of tooling, libraries and cloud may increase the security risks • DevOps teams need the freedom to experiment to keep improving • Empowered and autonomous team have a lot of rights
  • 12. How this data breach could have been prevented: Detecting Apache Struts CVE-2017-5638 • Library/Framework Vulnerability Scanning • Container Vulnerability Scanning • Static Application Security Testing • Dynamic Application Security Testing Designing systems that would be resilient to the Equifax attack • Web Application Firewall & Virtual Patching • Input Validation • Restricting internet access on servers (Firewall/Proxy) • OS/container Hardening • Network Segmentation • Secure Credential Storage (no passwords in databases) • Ephemeral Environments https://github.com/OWASP/ASVS (CVE-2017-5638) Attack Example – 2017 Equifax data breach
  • 13. DevOps and security together: DevSecOps • Automated security checks can be built into the pipeline • A lot of tools are available to address security concerns • Sonarcube - SAST • OWASP ZAP - DAST • Whitesource Bolt - SCA • Microsoft Security Code • Codacy, Sonarcube, Snyk, Acunetix, logz.io, Contrast security, …. • Organisations that have mature DevOps practices are 338% more likely to integrate security across the SDLC (source: Sonatype DevSecOps community survey 2018) • Security patches and updates can be applied promptly • Transparency and continuous improvement • Long lived product teams: Security is everybody's responsibility
  • 14. DevSecOps manifesto Value things on the left over things on the right Leaning in over Always Saying “No” Data & Security Science over Fear, Uncertainty and Doubt Open Contribution & Collaboration over Security-Only Requirements Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists Source: https://www.devsecops.org/
  • 15. What can be done in the SDLC? Shift left and right Delivery team Version control Build Test Release Prod Security training Security requirements Threat modelling Architecture review Code examples OWASP Top 10 IDE plugins Fail the build SAST/DAST/IAST Configuration analysis Application module scanning Threat modelling as unit test Automated Pen testing Static code analysis Security policy testing Configuration analysis Security monitoring Configuration monitoring
  • 17. 1. We are all responsible So what is DevSecOps? ???? Questions 2. Engage InfoSec early and often 3. Use the right security tools right ‘Just’ DevOps….. with focus on
  • 18. Stay safe! We’re here to put our experience and know-how to work for you and provide you with guidance. With us it’s about collaboration and shared success. Aotearoa is our home and we’ve been supporting enterprise organisations for more than 15 years. We deliver advice and solutions that work locally. It’s critically important to us that you deliver successful outcomes because there’s a great deal riding on it! Deliver Value Faster Safer • DevOps • DevSecOps • Site Reliability Engineering Peter Bink DevOps / DevSecOps Grant Reid DevOps / SRE linkedin.com/in/grantreid/linkedin.com/in/peter-bink/ peter.bink@solnet.co.nz grant.reid@solnet.co.nz

Editor's Notes

  1. Japan (top 3 on the list of GDP) has a GDP of US$ 5 trillion. NZ GDP $US 205 billion
  2. Security tools in periodic table Xenialabs: OWASP ZAP Sonatype Nexus IQ CyberAk conjur Veracode Digital.ai App Protection Aqua security HashiCorp vault SonarCube Micro Focus Fortify SCA Synopsis Black Duck Checkmarx SAST Snort PortSwigger Burp suite