Uploaded bypbink
PPTX, PDF103 views

Solnet dev secops meetup

DevSecOps aims to integrate security practices into DevOps workflows to deliver value faster and safer. It addresses challenges like keeping security practices aligned with continuous delivery models and empowered DevOps teams. DevSecOps incorporates security checks and tools into development pipelines to find and fix issues early. This helps prevent breaches like the 2017 Equifax hack, which exploited a known vulnerability. DevSecOps promotes a culture of collaboration, shared responsibility, and proactive security monitoring throughout the software development lifecycle.

Software
Related topics:
Information Security

Embed presentation

Download to read offline
DevSecOps Deliver value faster safer Peter Bink – September 2020
The DevXXXOps explosion DataOps DevSecOps MLOps GitOps AIOps DevDataOps DesignOps CloudOps NoOps WinOps = DevOps 2 DevTestOps
• Advanced Persistent Threat Also lone wolves: Gary McKinnon – “Your security is crap” Source: https://www.varonis.com/blog/apt-groups/ Iran’s nuclear program (Stuxnet) 2010 2014 – Sony 2016 – Bangladesh Bank 2017 - WannaCry 2016 – Hilary Clinton 2019 – Venezuelan military Cybercrime – who are they? 2019 – Toyota data breach FIG (fun, ideology, and grudge) Other (errors, glitches, etc.) And why do they do it?
Security Incidents – New Zealand • NZX / Metservice / Mt Ruapehu parking / …? • Lion brewery (AU) – website was changed so clients could order milk at a Sydney based consultancy firm. Lion shut down their IT systems to stop the attack which impacted their supply. • Blackbaud – US based provider of SaaS for a lot of universities worldwide, such as Auckland university. Data has been stolen, ransom has been paid and data has been ‘destroyed’. • The website of LPM Property Management - showed passports, drivers licenses, and other identity documents, of New Zealanders and other nationalities. • Contact details of people who have been in contact with New Zealand Police may have been breached. • A KiwiSaver provider, Generate, has had its computer systems breached and the personal information of 26,000 of its customers has been taken. • … • NZ Firearms register from NZ Police • Tu Ora Compass health - Up to 1 million New Zealand patients' data breached in criminal cyber hack 2019 2020
“Applications are the weakest links” 53% of all breaches are caused by vulnerabilities in Applications Source: 2020 State of application security, Forrester Source: 2019 Data Breach Investigations Report, Verizon ‘Fun’ facts around data breaches Source: 2019 State of the software supply chain report, Sonatype Source: 2020 State of application security, Forrester Source: 2020 - 107 Must-Know Data Breach Statistics, Varonis Source: 2019 Cost of a data breach report, IBM Source: 2020 Top 5 cyber security stats, Cybersecurity ventures “Open source continues to infect everything” 85% of your code is sourced from external suppliers The average time to identify and contain a breach is 279 days The average total cost of a data breach is $USD 3.92 Million Cybercrime damage costs are predicted to hit US$ 6 trillion annually
Source: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Attack Example – 2017 Equifax data breach US DOJ Indictment: https://www.justice.gov/opa/press-release/file/1246891/download • In September 2017, credit reporting giant Equifax reported it had been hacked. • 147.9 million people were affected (40% of US population). • Names, date of births, drivers license numbers, and social security numbers were stolen plus 200k credit card numbers. • Cost Equifax 1.4 Billion. • Attributed to the People’s Liberation Army (PLA), the armed forces of the Peoples Republic of China. • Specifically, the PLA’s 54th Research Institute, also known as APT10.
• Apache struts vulnerability was not identified on the online dispute portal • Attacker set up a web shell for persistence “Jquery1.3.2.min.jsp” • Attacker was not detected immediately • Individual databases were not segmented from each other • Databases contained credentials for other servers/databases US GAO Report: https://www.gao.gov/assets/700/694158.pdf Attack Example – 2017 Equifax data breach (CVE-2017-5638)
Attempts to exploit this vulnerability on your servers occur every day (CVE-2017-5638) Attack Example – 2017 Equifax data breach
‘Old’ way of working Penetration testing provides assurance that a solution is secure in its current state, at the current time, however: • Any code change has the potential to introduce new vulnerabilities. • Over time new vulnerabilities will be discovered in libraries/frameworks. • A security tester has a limited budget and limited time. • It is expensive to fix issues or make design changes at the end of the SDLC. Finding & fixing security defects at the end of the SDLC How to move security earlier in the SDLC??????
DevOps and security - Challenges • Continuous delivery / often deployments o and the need for continuous security attention not always match o and security architecture support for waterfall projects is not similar • DevOps teams (autonomous) may lack security knowledge • Use a lot of tooling, libraries and cloud may increase the security risks • DevOps teams need the freedom to experiment to keep improving • Empowered and autonomous team have a lot of rights
How this data breach could have been prevented: Detecting Apache Struts CVE-2017-5638 • Library/Framework Vulnerability Scanning • Container Vulnerability Scanning • Static Application Security Testing • Dynamic Application Security Testing Designing systems that would be resilient to the Equifax attack • Web Application Firewall & Virtual Patching • Input Validation • Restricting internet access on servers (Firewall/Proxy) • OS/container Hardening • Network Segmentation • Secure Credential Storage (no passwords in databases) • Ephemeral Environments https://github.com/OWASP/ASVS (CVE-2017-5638) Attack Example – 2017 Equifax data breach
DevOps and security together: DevSecOps • Automated security checks can be built into the pipeline • A lot of tools are available to address security concerns • Sonarcube - SAST • OWASP ZAP - DAST • Whitesource Bolt - SCA • Microsoft Security Code • Codacy, Sonarcube, Snyk, Acunetix, logz.io, Contrast security, …. • Organisations that have mature DevOps practices are 338% more likely to integrate security across the SDLC (source: Sonatype DevSecOps community survey 2018) • Security patches and updates can be applied promptly • Transparency and continuous improvement • Long lived product teams: Security is everybody's responsibility
DevSecOps manifesto Value things on the left over things on the right Leaning in over Always Saying “No” Data & Security Science over Fear, Uncertainty and Doubt Open Contribution & Collaboration over Security-Only Requirements Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists Source: https://www.devsecops.org/
What can be done in the SDLC? Shift left and right Delivery team Version control Build Test Release Prod Security training Security requirements Threat modelling Architecture review Code examples OWASP Top 10 IDE plugins Fail the build SAST/DAST/IAST Configuration analysis Application module scanning Threat modelling as unit test Automated Pen testing Static code analysis Security policy testing Configuration analysis Security monitoring Configuration monitoring
1. We are all responsible So what is DevSecOps? ???? Questions 2. Engage InfoSec early and often 3. Use the right security tools right ‘Just’ DevOps….. with focus on
Stay safe! We’re here to put our experience and know-how to work for you and provide you with guidance. With us it’s about collaboration and shared success. Aotearoa is our home and we’ve been supporting enterprise organisations for more than 15 years. We deliver advice and solutions that work locally. It’s critically important to us that you deliver successful outcomes because there’s a great deal riding on it! Deliver Value Faster Safer • DevOps • DevSecOps • Site Reliability Engineering Peter Bink DevOps / DevSecOps Grant Reid DevOps / SRE linkedin.com/in/grantreid/linkedin.com/in/peter-bink/ peter.bink@solnet.co.nz grant.reid@solnet.co.nz

More Related Content

PDF
Web App Attacks - Stats & Remediation
byQualys
 
PPTX
Anatomy of an Attack - Sophos Day Belux 2014
bySophos Benelux
 
PDF
Security Automation and Orchestration
byGreg Foss
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
byAlert Logic
 
PDF
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
byAlert Logic
 
PDF
The Intersection of Security & DevOps
byAlert Logic
 
PPTX
Humla workshop on Android Security Testing - null Singapore
byn|u - The Open Security Community
 
PDF
Managing third party libraries
byn|u - The Open Security Community
 
Web App Attacks - Stats & Remediation
byQualys
 
Anatomy of an Attack - Sophos Day Belux 2014
bySophos Benelux
 
Security Automation and Orchestration
byGreg Foss
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
byAlert Logic
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
byAlert Logic
 
The Intersection of Security & DevOps
byAlert Logic
 
Humla workshop on Android Security Testing - null Singapore
byn|u - The Open Security Community
 
Managing third party libraries
byn|u - The Open Security Community
 

What's hot

PDF
Realities of Security in the Cloud
byAlert Logic
 
PPTX
How to Rapidly Identify Assets at Risk to WannaCry Ransomware
byQualys
 
PDF
Security Implications of the Cloud
byAlert Logic
 
PDF
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
bySkybox Security
 
PDF
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
byCR Group
 
PPTX
The New Security Practitioner
byAdrian Sanabria
 
PDF
Robert Hurlbut - Threat Modeling for Secure Software Design
bycentralohioissa
 
PPTX
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
byDerrick Hunter
 
PPTX
Continuous Automated Red Teaming (CART) - Bikash Barai
byAllanGray11
 
PPTX
Netpluz - Managed Firewall & Endpoint Protection
byNetpluz Asia Pte Ltd
 
PPTX
Disección de amenazas en entornos de nube
byCristian Garcia G.
 
PPTX
The state of endpoint defense in 2021
byAdrian Sanabria
 
PDF
Web Application Security and Awareness
byAbdul Rahman Sherzad
 
PDF
Threat intel- -content-curation-organizing-the-path-to-successful-detection
byPriyanka Aash
 
PDF
Security Starts at the Endpoint
byElasticsearch
 
PDF
Anatomy of the Compromised Insider
byImperva
 
PPTX
Kent King - PKI: Do You Know Your Exposure?
bycentralohioissa
 
PDF
Realities of Security in the Cloud
byAlert Logic
 
PPTX
Owasp top 10 2017
byibrahimumer2
 
PDF
Tenable Solutions for Enterprise Cloud Security
byMarketingArrowECS_CZ
 
Realities of Security in the Cloud
byAlert Logic
 
How to Rapidly Identify Assets at Risk to WannaCry Ransomware
byQualys
 
Security Implications of the Cloud
byAlert Logic
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
bySkybox Security
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
byCR Group
 
The New Security Practitioner
byAdrian Sanabria
 
Robert Hurlbut - Threat Modeling for Secure Software Design
bycentralohioissa
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
byDerrick Hunter
 
Continuous Automated Red Teaming (CART) - Bikash Barai
byAllanGray11
 
Netpluz - Managed Firewall & Endpoint Protection
byNetpluz Asia Pte Ltd
 
Disección de amenazas en entornos de nube
byCristian Garcia G.
 
The state of endpoint defense in 2021
byAdrian Sanabria
 
Web Application Security and Awareness
byAbdul Rahman Sherzad
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
byPriyanka Aash
 
Security Starts at the Endpoint
byElasticsearch
 
Anatomy of the Compromised Insider
byImperva
 
Kent King - PKI: Do You Know Your Exposure?
bycentralohioissa
 
Realities of Security in the Cloud
byAlert Logic
 
Owasp top 10 2017
byibrahimumer2
 
Tenable Solutions for Enterprise Cloud Security
byMarketingArrowECS_CZ
 

Similar to Solnet dev secops meetup

PDF
ScotSecure 2020
byRay Bugg
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PDF
The Future of Software Security Assurance
byRafal Los
 
PDF
11 secure development
byLen Bass
 
PDF
Outpost24 webinar: Turning DevOps and security into DevSecOps
byOutpost24
 
PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PPTX
Module 1 - Evolution to Secure DevOps.pptx
byaaronpham13
 
PDF
DevOps and Devsecops.pdf
byTechugo
 
PDF
DevOps and Devsecops- What are the Differences.
byTechugo
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
Security as Code (Second Early Release) Bk Sarthak Das
byminroyallugg
 
PDF
DevOps and Devsecops- Everything you need to know.
byTechugo
 
PPTX
Security and DevOps Overview
byAdrian Sanabria
 
PDF
Security as Code (Second Early Release) Bk Sarthak Das
bymagaudzontar
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PDF
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
bySBA Research
 
PDF
DevOps and Devsecops What are the Differences.pdf
byTechugo
 
ScotSecure 2020
byRay Bugg
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
The Future of Software Security Assurance
byRafal Los
 
11 secure development
byLen Bass
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
byOutpost24
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
Module 1 - Evolution to Secure DevOps.pptx
byaaronpham13
 
DevOps and Devsecops.pdf
byTechugo
 
DevOps and Devsecops- What are the Differences.
byTechugo
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Security as Code (Second Early Release) Bk Sarthak Das
byminroyallugg
 
DevOps and Devsecops- Everything you need to know.
byTechugo
 
Security and DevOps Overview
byAdrian Sanabria
 
Security as Code (Second Early Release) Bk Sarthak Das
bymagaudzontar
 
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
The What, Why, and How of DevSecOps
byCprime
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
bySBA Research
 
DevOps and Devsecops What are the Differences.pdf
byTechugo
 

Recently uploaded

PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PDF
Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#
byVineet Sharma
 
PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PPTX
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PDF
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PDF
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
PDF
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#
byVineet Sharma
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 

Solnet dev secops meetup

  • 1.
    DevSecOps Deliver value fastersafer Peter Bink – September 2020
  • 2.
  • 3.
    • Advanced PersistentThreat Also lone wolves: Gary McKinnon – “Your security is crap” Source: https://www.varonis.com/blog/apt-groups/ Iran’s nuclear program (Stuxnet) 2010 2014 – Sony 2016 – Bangladesh Bank 2017 - WannaCry 2016 – Hilary Clinton 2019 – Venezuelan military Cybercrime – who are they? 2019 – Toyota data breach FIG (fun, ideology, and grudge) Other (errors, glitches, etc.) And why do they do it?
  • 4.
    Security Incidents –New Zealand • NZX / Metservice / Mt Ruapehu parking / …? • Lion brewery (AU) – website was changed so clients could order milk at a Sydney based consultancy firm. Lion shut down their IT systems to stop the attack which impacted their supply. • Blackbaud – US based provider of SaaS for a lot of universities worldwide, such as Auckland university. Data has been stolen, ransom has been paid and data has been ‘destroyed’. • The website of LPM Property Management - showed passports, drivers licenses, and other identity documents, of New Zealanders and other nationalities. • Contact details of people who have been in contact with New Zealand Police may have been breached. • A KiwiSaver provider, Generate, has had its computer systems breached and the personal information of 26,000 of its customers has been taken. • … • NZ Firearms register from NZ Police • Tu Ora Compass health - Up to 1 million New Zealand patients' data breached in criminal cyber hack 2019 2020
  • 5.
    “Applications are theweakest links” 53% of all breaches are caused by vulnerabilities in Applications Source: 2020 State of application security, Forrester Source: 2019 Data Breach Investigations Report, Verizon ‘Fun’ facts around data breaches Source: 2019 State of the software supply chain report, Sonatype Source: 2020 State of application security, Forrester Source: 2020 - 107 Must-Know Data Breach Statistics, Varonis Source: 2019 Cost of a data breach report, IBM Source: 2020 Top 5 cyber security stats, Cybersecurity ventures “Open source continues to infect everything” 85% of your code is sourced from external suppliers The average time to identify and contain a breach is 279 days The average total cost of a data breach is $USD 3.92 Million Cybercrime damage costs are predicted to hit US$ 6 trillion annually
  • 6.
  • 7.
    Attack Example –2017 Equifax data breach US DOJ Indictment: https://www.justice.gov/opa/press-release/file/1246891/download • In September 2017, credit reporting giant Equifax reported it had been hacked. • 147.9 million people were affected (40% of US population). • Names, date of births, drivers license numbers, and social security numbers were stolen plus 200k credit card numbers. • Cost Equifax 1.4 Billion. • Attributed to the People’s Liberation Army (PLA), the armed forces of the Peoples Republic of China. • Specifically, the PLA’s 54th Research Institute, also known as APT10.
  • 8.
    • Apache strutsvulnerability was not identified on the online dispute portal • Attacker set up a web shell for persistence “Jquery1.3.2.min.jsp” • Attacker was not detected immediately • Individual databases were not segmented from each other • Databases contained credentials for other servers/databases US GAO Report: https://www.gao.gov/assets/700/694158.pdf Attack Example – 2017 Equifax data breach (CVE-2017-5638)
  • 9.
    Attempts to exploitthis vulnerability on your servers occur every day (CVE-2017-5638) Attack Example – 2017 Equifax data breach
  • 10.
    ‘Old’ way ofworking Penetration testing provides assurance that a solution is secure in its current state, at the current time, however: • Any code change has the potential to introduce new vulnerabilities. • Over time new vulnerabilities will be discovered in libraries/frameworks. • A security tester has a limited budget and limited time. • It is expensive to fix issues or make design changes at the end of the SDLC. Finding & fixing security defects at the end of the SDLC How to move security earlier in the SDLC??????
  • 11.
    DevOps and security- Challenges • Continuous delivery / often deployments o and the need for continuous security attention not always match o and security architecture support for waterfall projects is not similar • DevOps teams (autonomous) may lack security knowledge • Use a lot of tooling, libraries and cloud may increase the security risks • DevOps teams need the freedom to experiment to keep improving • Empowered and autonomous team have a lot of rights
  • 12.
    How this databreach could have been prevented: Detecting Apache Struts CVE-2017-5638 • Library/Framework Vulnerability Scanning • Container Vulnerability Scanning • Static Application Security Testing • Dynamic Application Security Testing Designing systems that would be resilient to the Equifax attack • Web Application Firewall & Virtual Patching • Input Validation • Restricting internet access on servers (Firewall/Proxy) • OS/container Hardening • Network Segmentation • Secure Credential Storage (no passwords in databases) • Ephemeral Environments https://github.com/OWASP/ASVS (CVE-2017-5638) Attack Example – 2017 Equifax data breach
  • 13.
    DevOps and securitytogether: DevSecOps • Automated security checks can be built into the pipeline • A lot of tools are available to address security concerns • Sonarcube - SAST • OWASP ZAP - DAST • Whitesource Bolt - SCA • Microsoft Security Code • Codacy, Sonarcube, Snyk, Acunetix, logz.io, Contrast security, …. • Organisations that have mature DevOps practices are 338% more likely to integrate security across the SDLC (source: Sonatype DevSecOps community survey 2018) • Security patches and updates can be applied promptly • Transparency and continuous improvement • Long lived product teams: Security is everybody's responsibility
  • 14.
    DevSecOps manifesto Value thingson the left over things on the right Leaning in over Always Saying “No” Data & Security Science over Fear, Uncertainty and Doubt Open Contribution & Collaboration over Security-Only Requirements Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists Source: https://www.devsecops.org/
  • 15.
    What can bedone in the SDLC? Shift left and right Delivery team Version control Build Test Release Prod Security training Security requirements Threat modelling Architecture review Code examples OWASP Top 10 IDE plugins Fail the build SAST/DAST/IAST Configuration analysis Application module scanning Threat modelling as unit test Automated Pen testing Static code analysis Security policy testing Configuration analysis Security monitoring Configuration monitoring
  • 17.
    1. We areall responsible So what is DevSecOps? ???? Questions 2. Engage InfoSec early and often 3. Use the right security tools right ‘Just’ DevOps….. with focus on
  • 18.
    Stay safe! We’re hereto put our experience and know-how to work for you and provide you with guidance. With us it’s about collaboration and shared success. Aotearoa is our home and we’ve been supporting enterprise organisations for more than 15 years. We deliver advice and solutions that work locally. It’s critically important to us that you deliver successful outcomes because there’s a great deal riding on it! Deliver Value Faster Safer • DevOps • DevSecOps • Site Reliability Engineering Peter Bink DevOps / DevSecOps Grant Reid DevOps / SRE linkedin.com/in/grantreid/linkedin.com/in/peter-bink/ peter.bink@solnet.co.nz grant.reid@solnet.co.nz

Editor's Notes

  • #6 Japan (top 3 on the list of GDP) has a GDP of US$ 5 trillion. NZ GDP $US 205 billion
  • #18 Security tools in periodic table Xenialabs: OWASP ZAP Sonatype Nexus IQ CyberAk conjur Veracode Digital.ai App Protection Aqua security HashiCorp vault SonarCube Micro Focus Fortify SCA Synopsis Black Duck Checkmarx SAST Snort PortSwigger Burp suite