This document discusses succeeding in the marriage of cybersecurity and DevOps. It outlines five keys to a successful marriage: 1) establish a common process framework; 2) commit to collaboration; 3) design for security from inception; 4) strive to automate security processes; and 5) continuously learn and innovate. The document provides examples of how tools like Espial can help automate and integrate security testing into the development pipeline to enable continuous detection and faster remediation of vulnerabilities.
Simplify Dev with Complicated Security ToolsKevin Fealey
Abstract:
Writing secure applications is not easy, but keeping a security mindset during development can help reduce the rework caused by pre-release security assessments. No one should expect developers to be security experts – that’s not the path you’ve chosen – but the prevalence of free, open-source security tools and information can enable devs to detect many common and critical security issues before QA. This talk will focus on how developers can maximize the return on their security investment by automating detection of many vulnerabilities that security teams would find later in the SDLC. We’ll talk about freely available tools and techniques – some of which may already be in your dev environment – that can enable non-disruptive security testing in development. And for those developers who are already security testing their code, we'll discuss how to take your testing to the next level by embedding it into your functional testing.
Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security:
Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps
Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities
Examples of security automation, case situations minimizing risk and driving flexibility for DevOps
See how SaaS provider CloudPassage integrates security into its own development and operations workflows
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
Slides from presentation delivered at InfoSecWeek in London (Oct 2016) about making developers more productive, embedding security practices into the SDL and ensuring that security risks are accepted and understood.
The focus is on the Dev part of SecDevOps, and on the challenges of creating Security Champions for all DevOps stages.
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities.
Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey.
He will cover DevSecOps challenges he has faced and how he converted them into opportunities.
He will cover the following as part of the session.
DevSecOps Challenges.
DevSecOps Opportunities.
Converting Challenges into Opportunities.
Quick wins and lessons learned.
… and more useful takeaways!
DevSecOps - It can change your life (cycle)Qualitest
QualiTest explains how a secured DevOps (DevSecOps) delivery process can be achieved using automated code scan, enabling significant shift left of issues detection and minimizing the time to fix. Whether you are considering DevSecOps, on the path, or already there, this slide is for you.
For more information, please visit www.QualiTestGroup.com
Simplify Dev with Complicated Security ToolsKevin Fealey
Abstract:
Writing secure applications is not easy, but keeping a security mindset during development can help reduce the rework caused by pre-release security assessments. No one should expect developers to be security experts – that’s not the path you’ve chosen – but the prevalence of free, open-source security tools and information can enable devs to detect many common and critical security issues before QA. This talk will focus on how developers can maximize the return on their security investment by automating detection of many vulnerabilities that security teams would find later in the SDLC. We’ll talk about freely available tools and techniques – some of which may already be in your dev environment – that can enable non-disruptive security testing in development. And for those developers who are already security testing their code, we'll discuss how to take your testing to the next level by embedding it into your functional testing.
Just when you thought DevOps was the new black, along comes SecDevOps. In this webinar, Andrew Storms, Sr. Director of DevOps at CloudPassage and Alan Shimel Co-Founder of DevOps.com will discuss the emerging hybrid role of DevOps and Security. Tune in to hear them cover the following topics and why DevOps should want to play a bigger part in security:
Go beyond the traditional using DevOps tools, practices, methods to create a force multiplier of SecDevOps
Orchestrate and Automate - Deputize everyone to incorporate security into their day to day responsibilities
Examples of security automation, case situations minimizing risk and driving flexibility for DevOps
See how SaaS provider CloudPassage integrates security into its own development and operations workflows
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
Slides from presentation delivered at InfoSecWeek in London (Oct 2016) about making developers more productive, embedding security practices into the SDL and ensuring that security risks are accepted and understood.
The focus is on the Dev part of SecDevOps, and on the challenges of creating Security Champions for all DevOps stages.
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities.
Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey.
He will cover DevSecOps challenges he has faced and how he converted them into opportunities.
He will cover the following as part of the session.
DevSecOps Challenges.
DevSecOps Opportunities.
Converting Challenges into Opportunities.
Quick wins and lessons learned.
… and more useful takeaways!
DevSecOps - It can change your life (cycle)Qualitest
QualiTest explains how a secured DevOps (DevSecOps) delivery process can be achieved using automated code scan, enabling significant shift left of issues detection and minimizing the time to fix. Whether you are considering DevSecOps, on the path, or already there, this slide is for you.
For more information, please visit www.QualiTestGroup.com
we45’s SecDevOps and Security Automation Framework (2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The 2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle.
Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement 2SAF within weeks to a fully operational and measurable working framework.
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
Configuration management builds systems to run the code, Orchestration spins up and manages entire systems, and SDN creates the network architecture. All of these things are programmable, the entire system can be operated by a developer from a terminal. Teams of 5 or 6 people can build and operate really big systems.
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
Are you currently running at AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible?
The AppSec team and the business created an AppSec Pipeline to handle the work flow. The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place.
SecDevOps is a set of business methodologies, operational procedures, & cultural practices proven to increase security, improve software quality, improve release frequency, & provide immediate insight into organizational exposures.
This presentation was accepted to the ASIA 2018 conference, authored by Thomas Cappetta.
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
Curious how DevOps, Agile and CI/CD ideas can speed up your AppSec program? Here's how it can be done and an example where it lead to a 5x speed/flow improvement.
2018 07-24 network security at the speed of dev ops - webinarAlgoSec
DevOps methodologies have become extremely popular to enable agile application development and delivery.
In this webinar, Anner Kushnir, AlgoSec’s VP of Technology will describe how the innovative 'Connectivity as Code' approach can be implemented to overcome these challenges, and seamlessly weave network security into the existing CI/CD pipeline in order to fully automate the application delivery process end-to-end.
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective.
In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions.
Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
This talk instills the lessons learned from multiple security automation efforts and the key elements needed to be successful. Success across multiple dimensions is covered including increasing team throughput, engaging and supporting external teams, The idea is to give the audience a leg up on starting a DevSecOps program and allowing them to skip some painful lessons. Instead, they can focus on getting the key pieces in place and reaping the rewards of DevSecOps quickly. Several real-world examples (and metrics) will be provided to demonstrate why you want to start a DevSecOps journey.
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
This talk is from DevSecOps Singapore, June 29th, 2017.
Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.
Barriers to Container Security and How to Overcome ThemWhiteSource
Over the past few years, more and more companies are turning to containerized environments to scale their applications.
However, keeping containers secure throughout the development life cycle presents many challenges to security and development teams. In order to address them, organizations need to adopt a new set of security processes and tools.
This session will focus on the three most vulnerable areas of container security and the best practices to help teams develop and deploy securely.
Join Jeffrey Martin, Senior Director of Product at WhiteSource, as he discusses:
The top challenges to security in containerized environments
How DevSecOps addresses security in containerized environments
Tips and tricks for successfully incorporating security into the container lifecycle
DevSecOps is a new way to deliver security as part of the Software Supply Chain. It supports a built-in process and faster security feedback loop for DevOps teams.
we45’s SecDevOps and Security Automation Framework (2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The 2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle.
Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement 2SAF within weeks to a fully operational and measurable working framework.
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
Configuration management builds systems to run the code, Orchestration spins up and manages entire systems, and SDN creates the network architecture. All of these things are programmable, the entire system can be operated by a developer from a terminal. Teams of 5 or 6 people can build and operate really big systems.
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
Are you currently running at AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible?
The AppSec team and the business created an AppSec Pipeline to handle the work flow. The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place.
SecDevOps is a set of business methodologies, operational procedures, & cultural practices proven to increase security, improve software quality, improve release frequency, & provide immediate insight into organizational exposures.
This presentation was accepted to the ASIA 2018 conference, authored by Thomas Cappetta.
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
Curious how DevOps, Agile and CI/CD ideas can speed up your AppSec program? Here's how it can be done and an example where it lead to a 5x speed/flow improvement.
2018 07-24 network security at the speed of dev ops - webinarAlgoSec
DevOps methodologies have become extremely popular to enable agile application development and delivery.
In this webinar, Anner Kushnir, AlgoSec’s VP of Technology will describe how the innovative 'Connectivity as Code' approach can be implemented to overcome these challenges, and seamlessly weave network security into the existing CI/CD pipeline in order to fully automate the application delivery process end-to-end.
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective.
In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions.
Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
This talk instills the lessons learned from multiple security automation efforts and the key elements needed to be successful. Success across multiple dimensions is covered including increasing team throughput, engaging and supporting external teams, The idea is to give the audience a leg up on starting a DevSecOps program and allowing them to skip some painful lessons. Instead, they can focus on getting the key pieces in place and reaping the rewards of DevSecOps quickly. Several real-world examples (and metrics) will be provided to demonstrate why you want to start a DevSecOps journey.
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
This talk is from DevSecOps Singapore, June 29th, 2017.
Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.
Barriers to Container Security and How to Overcome ThemWhiteSource
Over the past few years, more and more companies are turning to containerized environments to scale their applications.
However, keeping containers secure throughout the development life cycle presents many challenges to security and development teams. In order to address them, organizations need to adopt a new set of security processes and tools.
This session will focus on the three most vulnerable areas of container security and the best practices to help teams develop and deploy securely.
Join Jeffrey Martin, Senior Director of Product at WhiteSource, as he discusses:
The top challenges to security in containerized environments
How DevSecOps addresses security in containerized environments
Tips and tricks for successfully incorporating security into the container lifecycle
DevSecOps is a new way to deliver security as part of the Software Supply Chain. It supports a built-in process and faster security feedback loop for DevOps teams.
Whether you're a huge enterprise or a small start-up, you can't escape global digitalization. As digital technologies like machine-2-machine communication, device-2-device telematics, connected cars, and the Internet of Things become more integral in today’s world, more threats will appear as hackers use new ways to exploit weaknesses in your organization and products.
During SoftServe’s free security webinar, Nazar Tymoshyk will explore the reasons why recent victims of digital attacks couldn’t withstand a threat to their security and share how you can build secure and compliant software with the help of security experts. A real-life case study will demonstrate how SoftServe assessed and mitigated security threats for a top organization.
Most of the money thrown at securing information systems misses the weak spots. Huge amounts are spent securing infrastructure while web applications are left exposed. It is a crisis that is largely ignored.
Software development teams, under pressure to deliver features and meet deadlines, often respond to concerns about the security of their web applications by commissioning a last-minute security assessment and then desperately attempt to address only the most glaring findings. They may even simply throw up a web application firewall to mitigate the threats. Such bolted-on solutions are not long-term answers to web application security.
Instead, we advocate a built-in approach. We will show that by weaving security into the software development life cycle, and using mature resources for security coding standards, toolkits and frameworks such as those from OWASP, development teams can consistently produce secure systems without dramatically increasing the development effort or cost.
This slide deck was most recently presented at a SPIN meeting in Cape Town In September 2012 by Paul and Theo from ThinkSmart (www.thinksmart.co.za).
For more information, contact Paul at ThinkSmart (dot see oh dot zed ay).
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.
This is the latest version of the State of the DevSecOps presentation, which was given by Stefan Streichsbier, founder of guardrails.io, as the keynote for the Singapore Computer Society - DevSecOps Seminar in Singapore on the 13th January 2020.
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
In the fusion between DevOps and DevSecOps, the pace and agility of the DevSecOps approach made AppSec and InfoSec were a little left behind. The DevOps squad topology does not involve any of the organization's AppSec and InfoSec Engineer. Many DevOps team are also not included them since they lack the information on how to manage and configure DevOps CI / CD pipelines and DevSecOps approaches. There's no shortage of talent — you probably don't have a mission worth getting out of bed or a culture that fosters continuous learning such DevSecOps skill and tools and growth where people feel psychologically safe. Besides, there is no shortage of skills — most have a poor understanding of what they need to be successful or the skills that need to leverage to improve their security posture.
Mike Spaulding - Building an Application Security Programcentralohioissa
Application Security in many organizations is a simply a 'wish list' item, but with some staff and some training, AppSec can be a reality, even for a small organization. This talk will discuss the best practices, strategies and tactics, and resource planning to build an internal AppSec function - enterprise to 'mom & pop' operations will all benefit from this talk.
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
Respresenting Cyber Defense Community (cdef.id) to present and share my view on Secure DevOps / DevSecOps. Through this presentation, I shared several insights about:
1. How to balance the risk and controls in the "great shift left" paradigm (agile)
2. DevOps activities
3. How to seamlessly integrate security into DevOps
4. How to "shift left" the security"
5. Get started with Secure DevOps / DevSecOps
6. Case Study about DevSecOps implementation
For further discussion, especially how to secure digital and agile transformation in your organization, don't hesitate to contact me :)
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
Waterfall is based on the concept of sequential software development—from conception to ongoing maintenance—where each of the many steps flowed logically into the next.
Join this webinar presentation to learn:
- Why DevOps cannot effectively work in waterfall
- How to use DevOps tools to optimize processes in either development or operations through automation
We will also discuss what is needed to support full DevOps
A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
DevSecOps is a recent offshoot of the DevOps movement, which doubles down on the importance of security. As security continues to be downplayed or ignored even as the threat landscape explodes, DevSecOps promotes a set of well-developed design principles and engineering patterns which involve security owners and product designers much earlier. DevSecOps lays out a robust and practical blueprint for building security features into the design process, leveraging new engineering tools and patterns and creating a secure, defensible software right from the start.
Join Chris Knotts, Innovation Product Director at Cprime, to:
- Learn how the concept of "shifting left" applies to application security and how to prioritize security requirements earlier in the design process
- Get an introduction to a few of the most effective engineering tools for implementing DevSecOps, including popular code scanners, dependency checkers, and free open-source products
- Understand how progress with DevSecOps depends on roles and stakeholders outside of just security staff
Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications.
With this presentation you'll learn how to:
-Protect your systems from risk
-Comply with security standards
-Ensure the entire codebase is bulletproof
As public and private cloud adoption skyrockets, the number of attacks against cloud infrastructure is also increasing dramatically. Now more than ever, it is crucial to secure your cloud assets and data against advanced threats.
We’ll dig into what it means to be successful in the cloud and what successful organizations do more of (and less of) than their less successful peers. We’ll look across technologies adopted, organizational and operational practices, and vendors embraced.
Recorded webinar: https://youtu.be/Og1-xcc7JNs
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
Abstract:
See how an Ottawa company has built a SOC2 Type 2 audited software delivery system with less pain, and more value.
Build security, and compliance into the way software is delivered and operated to
* Make secure development easier
* Provide real customer value
* Avoid security theatre
* Reduce security and audit bottlenecks
Bio:
Dag Rowe is a BA in security and compliance. Passionate about improving systems of work, he is actively involved in the local software community. Dag helps to organize the Agile Ottawa Meetup group, and the Gatineau-Ottawa Agile Tour conference.
Similar to Succeeding-Marriage-Cybersecurity-DevOps final (20)
2. 2
About Rajiv & eGT
Executive Technologist
Product Owner
Agile Manager/Coach
Solutions Architect
Sr. Director, Technology
Strategy
Dad / Hubby
• Established in 2004
• Agile Development & DevOps
• Cloud Migration & Enablement
• Cybersecurity & Information
Assurance
• eGT Labs – skunk works !
• 30+ federal agencies
3. Best of times…and Worst of times..
3
Businesses need to deliver faster and be more responsive
Align organizational units to rally behind one common goal
Continuously assess, monitor, prevent, and counter security risks and issues
Leverage technology, automation and agile practices to achieve all of the above
• E-Commerce Transactions to pass $1.5 Trillion/year
• Era of Digital & Connected Lives – mobile, cloud, wearables, social
• B2B ecommerce predicted to hit $6.7T/year by 2020
• 47% of American adults had their personal information stolen by hackers
• Cyber crime costs businesses $400+ Billion/year - McAfee, 2014
4. Stone Age IT
4
Development OperationsCybersecurity QA and TestingEnterprise
Architecture
Messages lost in translation
Slow & unwieldy
Too much finger pointing
Ultimately business suffers and people too…
Initiation & Planning Requirements
Definition
Design Development Testing Implementation
Operations &
Maintenance
5. Enter Agile Development Methodology
5
Automated
Deployment
Continuous
Integration
Automated
Code Review
Product / Release Backlog
Sprint Backlog
System
Releases
Continuous feedback loop
Production
Development
Testing/Demo
Test
Driven
Development
Iterative
Development
& Testing
Scrum
Kanban
Lean
SAFe
Initiation & Planning Requirements
Definition
Design Development Testing Implementation
Operations &
Maintenance
Agile as a means to develop solutions faster, release
frequently and incorporate feedback continuously
6. Gradual Agile Transformation
6
Development
Operations
Cybersecurity
QA and Testing
Enterprise
Architecture
Other
Stakeholders
More and more
federal agencies
are adopting agile
Some agencies
have adopted
DevOps
Very few agencies are
truly performing blue-
green deployments
Need to break walls and build a tighter trust circle
Agile Software
Development
&
DevOps
Agencies are
plagued with
security
concerns –
preventing
DevOps
transformation
7. DevOps + Cybersecurity DevOpsSec
Yes, but what about Testing, Users, Requirements, EA ?
ReqEADevTestingSecOps ?
DevOps => More than just “Development” and
“Operations”
Philosophy , Culture, Process, Automation, Tools &
Continuous Learning
By Practitioners - For Practitioners
7
8. DevOps & Cybersecurity – Flipping Resistance Results
8
Challenges
• Organizational hierarchies
• Lack of domain understanding
• RMF, NIST Controls
• Emerging / Open Source Tech
• Different tools and processes
• Different objectives –
• DevOps: Deliver Faster vs Security:
Protect Information
Opportunities
Secure Designs, Robust Solutions,
Reduced $Costs$
Integrate and automate delivery
pipeline – Accelerate time to
Market
Respond faster to business
Enhanced Transparency, Visibility
and Accountability
9. Keys to a Successful Marriage of DevOps & Cybersecurity
9
10. #1 – Come together - Establish Common Process Framework
• Integrate and Align SDLC and RMF
• Concurrently execute lifecycle phases
• Peer review and validate work products
• Reinforce security mindset in every step of the process.
• Universal visibility, transparency, and accountability
10
NIST Risk
Management
Framework
Software
Development
Lifecycle
+
Categorize
Information
System
Select
Security
Controls
Implement
Security
Controls
Assess
Security
Controls
Authorize
Information
System
Monitor
Security
Controls
Initiation
&
Planning
Requirements
Design
Development
Testing
Implementation
Operations
&
Maintenance
12. #2 – Be kind to your partner - Commit to Collaborate
12
DevOpsCybersecurity
Target solution
must properly
address all
required NIST
security controls !
• Truly bring disparate teams together to work towards common goals and objectives
• Learn, understand and appreciate each other’s concern
• Instead of “No, not possible” – explore and provide alternate approaches
• Leverage effective collaboration tools
Here is how and
what needs to be
done to certify new
technologies for
secure acceptable
use
Common Goals
Invested in Shared
Success
Continuous
Communication
I want to adopt the
latest and greatest
open source
technology Is this
implementation
approach secure
and compliant ?
13. #3 – Build Trust Early - Design for Security From Inception
13
• Detect basic security issues early and prevent downstream friction
• Include security issues (POAMS, etc) as part of the product backlog
and prioritize collectively
• Keep pace with new technology insertion and refreshes
• Address security controls early in the architecture and design
phase Develop System &
Software Architecture
and Design
Test for compliance with
required NIST controls
15. Security Policy and Compliance “as code”
15
• Replace opinionated human compliance checkers with machines –
Compliant or Non-Compliant
describe port(80) do
it { should_not be_listening }
end
describe port(443) do
it { should be_listening }
its('protocol') {should eq 'tcp'}
end
• BDD-Security , Gauntlt – security test code expressed in plain English
• Treat like any other code – source control, versions, peer review
• Provides a time-machine view into security evolution
• Produces valuable raw data for historical and trend analytics
Short detour for a specific use case /demo…
16. Web Application Security Vulnerabilities Survey Results
16
86% of websites and web-apps contain at least one serious
vulnerability
Make vulnerability remediation process faster and easier
Visibility, Accountability and Empowerment
More secure software, NOT more security software
17. What is OWASP ?
17
Make software security visible, so that individuals and
organizations are able to make informed decisions
100s of Projects..
OWASP Top 10 security flaws
18. Agile Development & OWASP Testing is Disconnected
18
Source
Control
Release
Candidate
Build
Testing
• Unit
• Functional
• Static Code Scan
• Performance, etc
Staging /
Production
Iterative / Agile Development
Security
Penetration
Testing
Backlog
Multiple daily/weekly iterations
Push security testing
left of the process
Web App Penetration testing conducted very late in the process
Developers have limited visibility and less time to remediate issues
Security vulnerabilities leak through into production
19. Espial – Automate & Integrate Penetration Testing
19
Jenkins
Source
Control
Automated
Build
Automated Testing
• Unit
• Functional, etc.
• Espial Plugin
Automated
Deployment
deploy
execute tests &
collect results
Build Quality Report
- Code Quality
- Test Execution Results
- Espial - Security
Vulnerabilities
- Metrics
output
orchestrate
Vagrant
Docker
image
Dev/Test Env
Apps
Prod Env
Apps
Apps
A mechanism that automates and integrates security vulnerability tests as part of
your existing Jenkins-based CI/CD process
Continuous Detection Faster Remediation
21. Espial – Key Benefits
21
• Platform and programming language agnostic.
• Any web-app
• Out of the box integration with Jenkins
• Developers have clear visibility of security vulnerabilities
• Comprehensive – crawls all end-points automatically
• Eliminates risk of vulnerabilities creeping in
22. #5 – Keep the spark alive - Continuously Learn & Innovate
22
• Evaluate emerging tools & technologies for adoption
• Identify opportunities to innovate and evolve
• Threat Management
• Security Data Analytics
• Interactive Application Security Testing
• Promote industry and community relationships
• Cultivate Labs – Ideas to Reality
• Promote innovation
• Experiment and Prototype
• Productize
• Rinse and Repeat