This document provides an introduction to DevSecOps, which involves integrating security teams and practices into the development lifecycle earlier through a "shift left" approach. It discusses threat modeling to understand security risks, using static and dynamic application security testing tools, checking for vulnerabilities in open source dependencies, securing infrastructure, and defining metrics to measure the effectiveness of applying security measures earlier. The goal of DevSecOps is to find and fix security issues as early as possible through continuous integration and delivery of secure software.
1. Editar estilos de texto Mestre
CLIQUE PARA
EDITAR O TÍTULO
MESTRE
DevSecOps 101
Marcelo Yuri Benesciutti
2. Editar estilos de texto Mestre
CLIQUE PARA
EDITAR O TÍTULO
MESTRE
MARCELO
YURI
BENESCIUTTI
Information Security Analyst - DB1
Computer Science - UEM
Researching information security since 2017
In love with technology since 1996
/marceloyb
/marceloyb
8. DEV AND OPS = DEVOPS
• Integration and empathy between
areas
• Simplification, automation and
rationalization of processes
• Shift left
9. SHIFT LEFT
“The earlier you test, the
better, and you should test
consistently and
continuously”
10. WHY SHIFT LEFT?
“Defects found ‘in the field’
cost 50-200 times as much
to correct as those
corrected earlier”
https://developers.slashdot.org/story/03/10/21/0141215/software-
defects---do-late-bugs-really-cost-more
11. AND SEC?
DevSecOps is nothing else
than bringing the security
team into the empathy
circle and shifting security
tests left
21. 3. WHAT ARE WE GOING TO DO
ABOUT IT?
A list of actions to be taken
for each threat
22. 3. WHAT ARE WE GOING TO DO
ABOUT IT?
“The user in any way should be able to
see contracts which are not of his
responsability. The access privilege
should guarantee that the user only
access functions, screens and
properties which he is authorized to
access. Reference Cornucopia Card:
Authorization 7”
23. 4. DID WE DO A GOOD JOB?
A way of validating the
model and threats, and
verification of success of
actions taken
28. OPEN SOURCE/DEPENDENCY
CHECK
“80% of the code in today’s
applications come from
libraries and frameworks”
https://cdn2.hubspot.net/hub/203759/file-1100864196-
pdf/docs/Contrast_-_Insecure_Libraries_2014.pdf
32. MEASUREMENT
How can we know if the
security left shift is really
effective?
KPIs are the answer
33. MEASUREMENT
• Number of builds broken due to security
errors
• % of security bugs found compared to
“normal” bugs
• Number of vulnerabilities found per build
• % of security unit tests coverage