SlideShare a Scribd company logo
Security in DevOps
Taro Lay (賴天騎)
Co-Founder – Kalama Cyber
Taro Lay (賴天騎)
Cyber Security Evangelist
Director of Professional Services at PT. Seraphim Digital
Technology
Founder of Kalama Cyber Foundation
Professional penetration tester
Digital security consultant
Been around in Digital Security arena around 30 years
Dedicate 25% his time for digital security research
@kalama_security @TaroLay
Who Am I
Security Essentials
Security Foundation
• Establish a sound security policy as the
“foundation” for design
• Treat security as an integral part of the overall
system design.
• Delineate the physical and logical security
boundaries governed by associated security
policies
• Train developers on secure software
Security Essentials
Risk Based
• Reduce risk to an acceptable level
• Assume external systems are insecure
• Implement tailored system security measures
to meet goals
• Protect information while processed, in transit,
and in storage.
• Consider custom products to achieve
adequate security
• Protect against all likely classes of “attacks”
Function vs Risk
Traditional vs Modern Application
Monolithic vs Micro Services
The major difference between
Agile vs. Waterfall might be
summarized by saying that the
waterfall approach values
planning ahead, while the agile
approach values adaptability
and involvement.
Waterfall vs Agile
Dev-Ops
Dev- Sec -Ops
Application Security Layers
App level security (libs, code,
data)
OS / Network / Physical Access
Intra-services communication (auth, azn,
TLS)
Hypervisor, images (VM/Docker)
Security Testing in SDLC
Security Testing in SDLC
Application Security Layers
OWASP Top 10 - 2021
A1-Broken Access Control
A2-Cryptographic Failures
A3-Injection
A4-Insecure Design
A5-Security Misconfiguration
A6-Vulnerable and Outdated Components
A7-Identification and Authentication Failure
A8-Software and Data Integrity Failures
A9-Security Logging and Monitoring Failures
A10-Server-side Request Forgery (SSRF)
Bridging the gaps
Common goals Streamlined Workflow Integrated Tools
● Security Training
● Lunch and learn
● Lingo and
terminology
● Agile development
● Ticketing system
● Continuous
integration
Cost of Flaw
TOTAL POTENTIAL
SECURITY ISSUES
● Null pointer dereference
● Threading issues
● Code quality issues
● Issues in dead code
● Insecure crypto functions
● Issues in back-end
application code
● Complex injection issues
● Issues in non-web app code
SAST Only
● Environment
configuration issues
● Patch level issues
● Runtime privileges issues
● Authentication issues
● Protocol parser issues
● Session management
issues
● Issues in 3rd party web
components
● Cross-site request
forgery
● Malware analysis
DAST Only
● SQL Injection
● Cross Site Scripting
● HTTP Response Splitting
● OS Commanding
● LDAP Injection
● XPath Injection
● Path Traversal
● Buffer Overflows
● Format String Issues
● Etc.
DAST & SAST
Application Security Issues
Thankyou!
Taro Lay, (賴天騎)
Cybersecurity Evangelist
<tarolay@kalama.id>
@kalama_security @TaroLay
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
IT Sec's Role in the Implementation of DevOps
Rei Munisati
( Head of IT Security & Risk Compliance – Home Credit Indonesia )
Let’s Get To Know Each Other
Rei Munisati
Head of IT Security & Risk Compliance
@ Home Credit Indonesia
Experienced in Banking, Insurance and Technology
industries focusing on Information Security, Data
Privacy, GRC, Third Party Security, Audit &
Remediation Management roles.
What is DevSecOps?
The main objective of DevSecOps is to automate,
monitor and apply security at all phases of the
software lifecycle, i.e., plan, develop, build, test,
release, deploy, operate and monitor. Applying
security at every stage of the software development
process enables continuous integration, reducing the
cost of compliance and delivering software more
rapidly
DevSecOps:
How important is it really?
• Agile took us from months to days to deliver software
• DevOps took us from months to minutes to deploy software
• More applications are mission critical
• Now security has become the bottleneck
The Evolution of Security Tools
Duration 2-4 weeks 1-2 weeks Continuous and Real-time
Penetration Testing
Tools
• Port Scanners
• Vulnerability Scanner
• Exploitation Tools
Audience
• Security Professionals
Secure SDLC
Tools
• Code Security Scanners
• Dynamic Security Scanners
• Vulnerability Scanners
Audience
• Security Professionals in
Enterprise Security Teams
DeVSecOps
Tools
• Code Security Scanners
• Interactive Security Scanners
• Runtime Application Self
Protection
Audience
• Developers in Product Teams
Phase of DevSecOps
• Secret Scanning
• Software Composition Analysis (SCA)
• Static Analysis Security Testing (SAST)
• Dynamic Analysis Security Testing (DAST)
• Security in Infrastructure as Code
• RunTime Application Self-Protection (RASP)
• Vulnerability Management (VA)
• Alert and Monitoring in Security
For Starter in DevSecOps
Secret Scanning
• Sensitive information such as the access keys, access tokens, SSH keys, etc.
• Work on pure Regex-based approach for filtering sensitive data
Tools :
1. Detect-Secrets
2. Truffle Hog
Software Composition Analysis
• Software Composition Analysis (SCA) is an application security
methodology for managing open-source components.
• Disc over all related components, their supporting libraries, and their
direct and indirect dependencies
Tools :
1. Snyk ( All )
2. Find-sec-bugs ( Java )
3. RetireJS ( JavaScript / NodeJS )
4. Bundler-audit ( Ruby )
5. Bandit, safety ( Python )
Static Analysis Security Testing
• White-box security testing using automated tools
• Useful for weeding out low-hanging fruits like SQL Injection, Cross-Site
Scripting, insecure libraries, etc.
• Needs manual oversight for managing false-positives
Tools : SonarQube
Dynamic Analysis Security Testing
• Black/Grey-box security testing using automated tools
• DAST will help in picking out deployment specific issues
• Results from DAST and SAST can be compared to weed out false-positives
“ We can use tools pentest but must support cmd and export file “
Tools : 1. Nmap
2. Nikto
3. SQLMap
4. Nessus
5. Burpsuite
Security in Infrastructure Code
• Infrastructure as a code allows you to document and version control the infra
• It also allows you to perform audit on the infrastructure
• Environment is as secure as the base image container
• Hardening your server with automation ( Compliance as Code)
Tools : 1. Ansible
2. Inspec
3. Clair
4. Anchore
5. Dockscan
Infrastructure Code
Image Scanning
Hardening
Vulnerability Management
• A central dashboard is required to normalize the data
• Vulnerability Management System can then be integrated to bug tracking system
Tools : 1. Defect Dojo
2. Archery
Alert and Monitoring Security
Monitoring is needed for two end goals
• Understand if our security controls are effective
• What and where we need to improve
"Detect, Mitigation ,and Maintain Continuous Security"
Tools : 1. Grafana
2. elk
3. Dynatrace
4. Aqua Security
5. Imperva
DevSecOps Pipeline
Inject Security in Process DevOps
Pre-Commit
Hooks
IDE Plugins
Developer
Secrets
Management
Code
Repository
SAST
SCA
Pre-Build
DAST
Post-Build
Manual Web
Application
Pentesting
QA/Staging Sec in IaC
Compliance as
Code
Alerting and
Monitoring
Production
Build Artifact
versioning
against code
commits
Artifact
Repository
CI/CD Server
V u l n e r a b i l i t y M a n a g e m e n t
Sample Pipeline
Build
Artifactory
Deploy
Staging
Setup
Staging
Deploy UAT Test
PROD
Setup
PROD Deploy
Approval
PROD
Deploy
Start End
DevOps Pipeline
Build
Artifactory
Deploy
SAST
(Dependency
Check)
Stagin
g
Setup
Staging
Deploy
UAT
Test
DAST
PROD
Setup
INFRA
Setup
INFRA
Scan
Compliance
Scan
PROD
Deploy
Approval
PROD
Deploy
WAF
Deploy
Start End
DevSecOps Pipeline
Benefits & Conclusions
✔ Integrate Security via Tools
✔ Security as Code
✔ Faster Release Cycles
✔ Prevent Security Bugs in PROD
✔ Shorter Feedback Cycle
Developer
Secret
Management Pre-Build Post-Build
Deploy
Test
Deploy
PROD
Pre-Commit H. SCA
SAST
DAST Security in IAC
THANK YOU

More Related Content

What's hot

Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops  security and compliance at the speed of continuous delivery - owaspDev secops  security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
Dag Rowe
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
Knoldus Inc.
 
#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360
Derek Chan
 
SRE 101 (Site Reliability Engineering)
SRE 101 (Site Reliability Engineering)SRE 101 (Site Reliability Engineering)
SRE 101 (Site Reliability Engineering)
Hussain Mansoor
 
Azure DevOps
Azure DevOpsAzure DevOps
Azure DevOps
Michael Jesse
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps Transformation
Deborah Schalm
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Perforce
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Why source control your Oracle Database?
Why source control your Oracle Database?Why source control your Oracle Database?
Why source control your Oracle Database?
Red Gate Software
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
Stephen de Vries
 
DevOps for absolute beginners
DevOps for absolute beginnersDevOps for absolute beginners
DevOps for absolute beginners
Ahmed Misbah
 
DevOps Workshop, DevOps for DoD Professionals
DevOps Workshop, DevOps for DoD ProfessionalsDevOps Workshop, DevOps for DoD Professionals
DevOps Workshop, DevOps for DoD Professionals
Tonex
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best  Practices for Your DevOps JourneyCI/CD Best  Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
Rahul Sudame
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 
The Art of Container Monitoring
The Art of Container MonitoringThe Art of Container Monitoring
The Art of Container Monitoring
Derek Chen
 
Why Serverless?
Why Serverless?Why Serverless?
Why Serverless?
Ridwan Fadjar
 
Standardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamStandardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins Team
Deborah Schalm
 
Conquering Chaos: Helix & DevOps
Conquering Chaos: Helix & DevOpsConquering Chaos: Helix & DevOps
Conquering Chaos: Helix & DevOps
Perforce
 

What's hot (20)

Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops  security and compliance at the speed of continuous delivery - owaspDev secops  security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
 
Introduction to CICD
Introduction to CICDIntroduction to CICD
Introduction to CICD
 
#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360#speakgell - Continuous Integration in iconnect360
#speakgell - Continuous Integration in iconnect360
 
SRE 101 (Site Reliability Engineering)
SRE 101 (Site Reliability Engineering)SRE 101 (Site Reliability Engineering)
SRE 101 (Site Reliability Engineering)
 
Azure DevOps
Azure DevOpsAzure DevOps
Azure DevOps
 
Security Implications for a DevOps Transformation
Security Implications for a DevOps TransformationSecurity Implications for a DevOps Transformation
Security Implications for a DevOps Transformation
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
Why source control your Oracle Database?
Why source control your Oracle Database?Why source control your Oracle Database?
Why source control your Oracle Database?
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
 
DevOps for absolute beginners
DevOps for absolute beginnersDevOps for absolute beginners
DevOps for absolute beginners
 
DevOps Workshop, DevOps for DoD Professionals
DevOps Workshop, DevOps for DoD ProfessionalsDevOps Workshop, DevOps for DoD Professionals
DevOps Workshop, DevOps for DoD Professionals
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best  Practices for Your DevOps JourneyCI/CD Best  Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
The Art of Container Monitoring
The Art of Container MonitoringThe Art of Container Monitoring
The Art of Container Monitoring
 
Why Serverless?
Why Serverless?Why Serverless?
Why Serverless?
 
Standardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins TeamStandardizing Jenkins with CloudBees Jenkins Team
Standardizing Jenkins with CloudBees Jenkins Team
 
Conquering Chaos: Helix & DevOps
Conquering Chaos: Helix & DevOpsConquering Chaos: Helix & DevOps
Conquering Chaos: Helix & DevOps
 

Similar to TechTalk 2021: Peran IT Security dalam Penerapan DevOps

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
Opsta
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0
Trupti Shiralkar, CISSP
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
Christian Martorella
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
DevSecOps 101
DevSecOps 101DevSecOps 101
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
sangam biradar
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Emerasoft, solutions to collaborate
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
centralohioissa
 

Similar to TechTalk 2021: Peran IT Security dalam Penerapan DevOps (20)

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 

More from DicodingEvent

Developer Coaching #114.pdf
Developer Coaching #114.pdfDeveloper Coaching #114.pdf
Developer Coaching #114.pdf
DicodingEvent
 
Ask Us Anything about Studi Independen Bersertifikat Kampus Merdeka X Dicodin...
Ask Us Anything about Studi Independen Bersertifikat Kampus Merdeka X Dicodin...Ask Us Anything about Studi Independen Bersertifikat Kampus Merdeka X Dicodin...
Ask Us Anything about Studi Independen Bersertifikat Kampus Merdeka X Dicodin...
DicodingEvent
 
tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21
DicodingEvent
 
Mengenalkan augmented reality (ar) pada snapchat
Mengenalkan augmented reality (ar) pada snapchatMengenalkan augmented reality (ar) pada snapchat
Mengenalkan augmented reality (ar) pada snapchat
DicodingEvent
 
Membangun Aplikasi Serverless di Platfrom AWS
Membangun Aplikasi Serverless di Platfrom AWSMembangun Aplikasi Serverless di Platfrom AWS
Membangun Aplikasi Serverless di Platfrom AWS
DicodingEvent
 
IDCamp X Madrasah: Pengenalan Computational Thinking
IDCamp X Madrasah: Pengenalan Computational ThinkingIDCamp X Madrasah: Pengenalan Computational Thinking
IDCamp X Madrasah: Pengenalan Computational Thinking
DicodingEvent
 
Membuat Produk Digital Terbaik ala Startup Unicorn
Membuat Produk Digital Terbaik ala Startup UnicornMembuat Produk Digital Terbaik ala Startup Unicorn
Membuat Produk Digital Terbaik ala Startup Unicorn
DicodingEvent
 
TechTalk 2021: Peningkatan Performa Software Delivery dengan CI/CD
TechTalk 2021: Peningkatan Performa Software Delivery dengan CI/CDTechTalk 2021: Peningkatan Performa Software Delivery dengan CI/CD
TechTalk 2021: Peningkatan Performa Software Delivery dengan CI/CD
DicodingEvent
 
Membuat Solusi Bermanfaat dengan Programming - Nur Rohman
Membuat Solusi Bermanfaat dengan Programming - Nur RohmanMembuat Solusi Bermanfaat dengan Programming - Nur Rohman
Membuat Solusi Bermanfaat dengan Programming - Nur Rohman
DicodingEvent
 
Potensi karier menjadi ios developer di masa depan
Potensi karier menjadi ios developer di masa depanPotensi karier menjadi ios developer di masa depan
Potensi karier menjadi ios developer di masa depan
DicodingEvent
 
Id camp x dicoding live : persiapan jadi software engineer hebat 101
Id camp x dicoding live : persiapan jadi software engineer hebat 101Id camp x dicoding live : persiapan jadi software engineer hebat 101
Id camp x dicoding live : persiapan jadi software engineer hebat 101
DicodingEvent
 
Tips sukses berkarir sebagai developer dan programmer 2021
Tips sukses berkarir sebagai developer dan programmer 2021Tips sukses berkarir sebagai developer dan programmer 2021
Tips sukses berkarir sebagai developer dan programmer 2021
DicodingEvent
 
Teknologi Baru Android di Google I/O 2021 - Andrew Kurniadi
Teknologi Baru Android di Google I/O 2021 - Andrew KurniadiTeknologi Baru Android di Google I/O 2021 - Andrew Kurniadi
Teknologi Baru Android di Google I/O 2021 - Andrew Kurniadi
DicodingEvent
 
Dicoding Developer Coaching #38: Android | 5 Library Android yang Patut Kamu ...
Dicoding Developer Coaching #38: Android | 5 Library Android yang Patut Kamu ...Dicoding Developer Coaching #38: Android | 5 Library Android yang Patut Kamu ...
Dicoding Developer Coaching #38: Android | 5 Library Android yang Patut Kamu ...
DicodingEvent
 
Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...
Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...
Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...
DicodingEvent
 
Pengantar Cloud Computing dengan AWS - Petra Novandi Barus
Pengantar Cloud Computing dengan AWS - Petra Novandi BarusPengantar Cloud Computing dengan AWS - Petra Novandi Barus
Pengantar Cloud Computing dengan AWS - Petra Novandi Barus
DicodingEvent
 
Dicoding Developer Coaching #36: Android | Pentingnya Performa pada Aplikasi ...
Dicoding Developer Coaching #36: Android | Pentingnya Performa pada Aplikasi ...Dicoding Developer Coaching #36: Android | Pentingnya Performa pada Aplikasi ...
Dicoding Developer Coaching #36: Android | Pentingnya Performa pada Aplikasi ...
DicodingEvent
 
Dicoding Developer Coaching #34: Android | Modular Android App dengan Dynamic...
Dicoding Developer Coaching #34: Android | Modular Android App dengan Dynamic...Dicoding Developer Coaching #34: Android | Modular Android App dengan Dynamic...
Dicoding Developer Coaching #34: Android | Modular Android App dengan Dynamic...
DicodingEvent
 
Dicoding Developer Coaching #35: Android | Setup Continuous Integration di An...
Dicoding Developer Coaching #35: Android | Setup Continuous Integration di An...Dicoding Developer Coaching #35: Android | Setup Continuous Integration di An...
Dicoding Developer Coaching #35: Android | Setup Continuous Integration di An...
DicodingEvent
 
Dicoding Developer Coaching #33: Android | Depedency Injection dengan Dagger,...
Dicoding Developer Coaching #33: Android | Depedency Injection dengan Dagger,...Dicoding Developer Coaching #33: Android | Depedency Injection dengan Dagger,...
Dicoding Developer Coaching #33: Android | Depedency Injection dengan Dagger,...
DicodingEvent
 

More from DicodingEvent (20)

Developer Coaching #114.pdf
Developer Coaching #114.pdfDeveloper Coaching #114.pdf
Developer Coaching #114.pdf
 
Ask Us Anything about Studi Independen Bersertifikat Kampus Merdeka X Dicodin...
Ask Us Anything about Studi Independen Bersertifikat Kampus Merdeka X Dicodin...Ask Us Anything about Studi Independen Bersertifikat Kampus Merdeka X Dicodin...
Ask Us Anything about Studi Independen Bersertifikat Kampus Merdeka X Dicodin...
 
tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21
 
Mengenalkan augmented reality (ar) pada snapchat
Mengenalkan augmented reality (ar) pada snapchatMengenalkan augmented reality (ar) pada snapchat
Mengenalkan augmented reality (ar) pada snapchat
 
Membangun Aplikasi Serverless di Platfrom AWS
Membangun Aplikasi Serverless di Platfrom AWSMembangun Aplikasi Serverless di Platfrom AWS
Membangun Aplikasi Serverless di Platfrom AWS
 
IDCamp X Madrasah: Pengenalan Computational Thinking
IDCamp X Madrasah: Pengenalan Computational ThinkingIDCamp X Madrasah: Pengenalan Computational Thinking
IDCamp X Madrasah: Pengenalan Computational Thinking
 
Membuat Produk Digital Terbaik ala Startup Unicorn
Membuat Produk Digital Terbaik ala Startup UnicornMembuat Produk Digital Terbaik ala Startup Unicorn
Membuat Produk Digital Terbaik ala Startup Unicorn
 
TechTalk 2021: Peningkatan Performa Software Delivery dengan CI/CD
TechTalk 2021: Peningkatan Performa Software Delivery dengan CI/CDTechTalk 2021: Peningkatan Performa Software Delivery dengan CI/CD
TechTalk 2021: Peningkatan Performa Software Delivery dengan CI/CD
 
Membuat Solusi Bermanfaat dengan Programming - Nur Rohman
Membuat Solusi Bermanfaat dengan Programming - Nur RohmanMembuat Solusi Bermanfaat dengan Programming - Nur Rohman
Membuat Solusi Bermanfaat dengan Programming - Nur Rohman
 
Potensi karier menjadi ios developer di masa depan
Potensi karier menjadi ios developer di masa depanPotensi karier menjadi ios developer di masa depan
Potensi karier menjadi ios developer di masa depan
 
Id camp x dicoding live : persiapan jadi software engineer hebat 101
Id camp x dicoding live : persiapan jadi software engineer hebat 101Id camp x dicoding live : persiapan jadi software engineer hebat 101
Id camp x dicoding live : persiapan jadi software engineer hebat 101
 
Tips sukses berkarir sebagai developer dan programmer 2021
Tips sukses berkarir sebagai developer dan programmer 2021Tips sukses berkarir sebagai developer dan programmer 2021
Tips sukses berkarir sebagai developer dan programmer 2021
 
Teknologi Baru Android di Google I/O 2021 - Andrew Kurniadi
Teknologi Baru Android di Google I/O 2021 - Andrew KurniadiTeknologi Baru Android di Google I/O 2021 - Andrew Kurniadi
Teknologi Baru Android di Google I/O 2021 - Andrew Kurniadi
 
Dicoding Developer Coaching #38: Android | 5 Library Android yang Patut Kamu ...
Dicoding Developer Coaching #38: Android | 5 Library Android yang Patut Kamu ...Dicoding Developer Coaching #38: Android | 5 Library Android yang Patut Kamu ...
Dicoding Developer Coaching #38: Android | 5 Library Android yang Patut Kamu ...
 
Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...
Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...
Dicoding Developer Coaching #37: Android | Kesalahan yang Sering Terjadi pada...
 
Pengantar Cloud Computing dengan AWS - Petra Novandi Barus
Pengantar Cloud Computing dengan AWS - Petra Novandi BarusPengantar Cloud Computing dengan AWS - Petra Novandi Barus
Pengantar Cloud Computing dengan AWS - Petra Novandi Barus
 
Dicoding Developer Coaching #36: Android | Pentingnya Performa pada Aplikasi ...
Dicoding Developer Coaching #36: Android | Pentingnya Performa pada Aplikasi ...Dicoding Developer Coaching #36: Android | Pentingnya Performa pada Aplikasi ...
Dicoding Developer Coaching #36: Android | Pentingnya Performa pada Aplikasi ...
 
Dicoding Developer Coaching #34: Android | Modular Android App dengan Dynamic...
Dicoding Developer Coaching #34: Android | Modular Android App dengan Dynamic...Dicoding Developer Coaching #34: Android | Modular Android App dengan Dynamic...
Dicoding Developer Coaching #34: Android | Modular Android App dengan Dynamic...
 
Dicoding Developer Coaching #35: Android | Setup Continuous Integration di An...
Dicoding Developer Coaching #35: Android | Setup Continuous Integration di An...Dicoding Developer Coaching #35: Android | Setup Continuous Integration di An...
Dicoding Developer Coaching #35: Android | Setup Continuous Integration di An...
 
Dicoding Developer Coaching #33: Android | Depedency Injection dengan Dagger,...
Dicoding Developer Coaching #33: Android | Depedency Injection dengan Dagger,...Dicoding Developer Coaching #33: Android | Depedency Injection dengan Dagger,...
Dicoding Developer Coaching #33: Android | Depedency Injection dengan Dagger,...
 

Recently uploaded

BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
Nguyen Thanh Tu Collection
 
modul ajar kelas x bahasa inggris 24/254
modul ajar kelas x bahasa inggris 24/254modul ajar kelas x bahasa inggris 24/254
modul ajar kelas x bahasa inggris 24/254
NurFitriah45
 
Edukasyong Pantahanan at Pangkabuhayan 1: Personal Hygiene
Edukasyong Pantahanan at  Pangkabuhayan 1: Personal HygieneEdukasyong Pantahanan at  Pangkabuhayan 1: Personal Hygiene
Edukasyong Pantahanan at Pangkabuhayan 1: Personal Hygiene
MJDuyan
 
How to Create a New Article in Knowledge App in Odoo 17
How to Create a New Article in Knowledge App in Odoo 17How to Create a New Article in Knowledge App in Odoo 17
How to Create a New Article in Knowledge App in Odoo 17
Celine George
 
Principles of Roods Approach!!!!!!!.pptx
Principles of Roods Approach!!!!!!!.pptxPrinciples of Roods Approach!!!!!!!.pptx
Principles of Roods Approach!!!!!!!.pptx
ibtesaam huma
 
1-NLC-MATH7-Consolidation-Lesson1 2024.pptx
1-NLC-MATH7-Consolidation-Lesson1 2024.pptx1-NLC-MATH7-Consolidation-Lesson1 2024.pptx
1-NLC-MATH7-Consolidation-Lesson1 2024.pptx
AnneMarieJacildo
 
How to Manage Shipping Connectors & Shipping Methods in Odoo 17
How to Manage Shipping Connectors & Shipping Methods in Odoo 17How to Manage Shipping Connectors & Shipping Methods in Odoo 17
How to Manage Shipping Connectors & Shipping Methods in Odoo 17
Celine George
 
How to Empty a One2Many Field in Odoo 17
How to Empty a One2Many Field in Odoo 17How to Empty a One2Many Field in Odoo 17
How to Empty a One2Many Field in Odoo 17
Celine George
 
SEQUNCES Lecture_Notes_Unit4_chapter11_sequence
SEQUNCES  Lecture_Notes_Unit4_chapter11_sequenceSEQUNCES  Lecture_Notes_Unit4_chapter11_sequence
SEQUNCES Lecture_Notes_Unit4_chapter11_sequence
Murugan Solaiyappan
 
2024 KWL Back 2 School Summer Conference
2024 KWL Back 2 School Summer Conference2024 KWL Back 2 School Summer Conference
2024 KWL Back 2 School Summer Conference
KlettWorldLanguages
 
Allopathic M1 Srudent Orientation Powerpoint
Allopathic M1 Srudent Orientation PowerpointAllopathic M1 Srudent Orientation Powerpoint
Allopathic M1 Srudent Orientation Powerpoint
Julie Sarpy
 
What is Packaging of Products in Odoo 17
What is Packaging of Products in Odoo 17What is Packaging of Products in Odoo 17
What is Packaging of Products in Odoo 17
Celine George
 
Imagination in Computer Science Research
Imagination in Computer Science ResearchImagination in Computer Science Research
Imagination in Computer Science Research
Abhik Roychoudhury
 
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cátedra Banco Santander
 
How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17
Celine George
 
How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17
Celine George
 
C Interview Questions PDF By Scholarhat.pdf
C Interview Questions PDF By Scholarhat.pdfC Interview Questions PDF By Scholarhat.pdf
C Interview Questions PDF By Scholarhat.pdf
Scholarhat
 
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptxBRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
kambal1234567890
 
formative Evaluation By Dr.Kshirsagar R.V
formative Evaluation By Dr.Kshirsagar R.Vformative Evaluation By Dr.Kshirsagar R.V
formative Evaluation By Dr.Kshirsagar R.V
DrRavindrakshirsagar1
 
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptxKesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
artenzmartenkai
 

Recently uploaded (20)

BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
 
modul ajar kelas x bahasa inggris 24/254
modul ajar kelas x bahasa inggris 24/254modul ajar kelas x bahasa inggris 24/254
modul ajar kelas x bahasa inggris 24/254
 
Edukasyong Pantahanan at Pangkabuhayan 1: Personal Hygiene
Edukasyong Pantahanan at  Pangkabuhayan 1: Personal HygieneEdukasyong Pantahanan at  Pangkabuhayan 1: Personal Hygiene
Edukasyong Pantahanan at Pangkabuhayan 1: Personal Hygiene
 
How to Create a New Article in Knowledge App in Odoo 17
How to Create a New Article in Knowledge App in Odoo 17How to Create a New Article in Knowledge App in Odoo 17
How to Create a New Article in Knowledge App in Odoo 17
 
Principles of Roods Approach!!!!!!!.pptx
Principles of Roods Approach!!!!!!!.pptxPrinciples of Roods Approach!!!!!!!.pptx
Principles of Roods Approach!!!!!!!.pptx
 
1-NLC-MATH7-Consolidation-Lesson1 2024.pptx
1-NLC-MATH7-Consolidation-Lesson1 2024.pptx1-NLC-MATH7-Consolidation-Lesson1 2024.pptx
1-NLC-MATH7-Consolidation-Lesson1 2024.pptx
 
How to Manage Shipping Connectors & Shipping Methods in Odoo 17
How to Manage Shipping Connectors & Shipping Methods in Odoo 17How to Manage Shipping Connectors & Shipping Methods in Odoo 17
How to Manage Shipping Connectors & Shipping Methods in Odoo 17
 
How to Empty a One2Many Field in Odoo 17
How to Empty a One2Many Field in Odoo 17How to Empty a One2Many Field in Odoo 17
How to Empty a One2Many Field in Odoo 17
 
SEQUNCES Lecture_Notes_Unit4_chapter11_sequence
SEQUNCES  Lecture_Notes_Unit4_chapter11_sequenceSEQUNCES  Lecture_Notes_Unit4_chapter11_sequence
SEQUNCES Lecture_Notes_Unit4_chapter11_sequence
 
2024 KWL Back 2 School Summer Conference
2024 KWL Back 2 School Summer Conference2024 KWL Back 2 School Summer Conference
2024 KWL Back 2 School Summer Conference
 
Allopathic M1 Srudent Orientation Powerpoint
Allopathic M1 Srudent Orientation PowerpointAllopathic M1 Srudent Orientation Powerpoint
Allopathic M1 Srudent Orientation Powerpoint
 
What is Packaging of Products in Odoo 17
What is Packaging of Products in Odoo 17What is Packaging of Products in Odoo 17
What is Packaging of Products in Odoo 17
 
Imagination in Computer Science Research
Imagination in Computer Science ResearchImagination in Computer Science Research
Imagination in Computer Science Research
 
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
 
How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17
 
How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17How to Manage Access Rights & User Types in Odoo 17
How to Manage Access Rights & User Types in Odoo 17
 
C Interview Questions PDF By Scholarhat.pdf
C Interview Questions PDF By Scholarhat.pdfC Interview Questions PDF By Scholarhat.pdf
C Interview Questions PDF By Scholarhat.pdf
 
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptxBRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
BRIGADA ESKWELA OPENING PROGRAM KICK OFF.pptx
 
formative Evaluation By Dr.Kshirsagar R.V
formative Evaluation By Dr.Kshirsagar R.Vformative Evaluation By Dr.Kshirsagar R.V
formative Evaluation By Dr.Kshirsagar R.V
 
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptxKesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
 

TechTalk 2021: Peran IT Security dalam Penerapan DevOps

  • 1. Security in DevOps Taro Lay (賴天騎) Co-Founder – Kalama Cyber
  • 2. Taro Lay (賴天騎) Cyber Security Evangelist Director of Professional Services at PT. Seraphim Digital Technology Founder of Kalama Cyber Foundation Professional penetration tester Digital security consultant Been around in Digital Security arena around 30 years Dedicate 25% his time for digital security research @kalama_security @TaroLay Who Am I
  • 3. Security Essentials Security Foundation • Establish a sound security policy as the “foundation” for design • Treat security as an integral part of the overall system design. • Delineate the physical and logical security boundaries governed by associated security policies • Train developers on secure software
  • 4. Security Essentials Risk Based • Reduce risk to an acceptable level • Assume external systems are insecure • Implement tailored system security measures to meet goals • Protect information while processed, in transit, and in storage. • Consider custom products to achieve adequate security • Protect against all likely classes of “attacks”
  • 6. Traditional vs Modern Application
  • 8. The major difference between Agile vs. Waterfall might be summarized by saying that the waterfall approach values planning ahead, while the agile approach values adaptability and involvement. Waterfall vs Agile
  • 11. Application Security Layers App level security (libs, code, data) OS / Network / Physical Access Intra-services communication (auth, azn, TLS) Hypervisor, images (VM/Docker)
  • 15. OWASP Top 10 - 2021 A1-Broken Access Control A2-Cryptographic Failures A3-Injection A4-Insecure Design A5-Security Misconfiguration A6-Vulnerable and Outdated Components A7-Identification and Authentication Failure A8-Software and Data Integrity Failures A9-Security Logging and Monitoring Failures A10-Server-side Request Forgery (SSRF)
  • 16. Bridging the gaps Common goals Streamlined Workflow Integrated Tools ● Security Training ● Lunch and learn ● Lingo and terminology ● Agile development ● Ticketing system ● Continuous integration
  • 18. TOTAL POTENTIAL SECURITY ISSUES ● Null pointer dereference ● Threading issues ● Code quality issues ● Issues in dead code ● Insecure crypto functions ● Issues in back-end application code ● Complex injection issues ● Issues in non-web app code SAST Only ● Environment configuration issues ● Patch level issues ● Runtime privileges issues ● Authentication issues ● Protocol parser issues ● Session management issues ● Issues in 3rd party web components ● Cross-site request forgery ● Malware analysis DAST Only ● SQL Injection ● Cross Site Scripting ● HTTP Response Splitting ● OS Commanding ● LDAP Injection ● XPath Injection ● Path Traversal ● Buffer Overflows ● Format String Issues ● Etc. DAST & SAST Application Security Issues
  • 19. Thankyou! Taro Lay, (賴天騎) Cybersecurity Evangelist <tarolay@kalama.id> @kalama_security @TaroLay
  • 21. IT Sec's Role in the Implementation of DevOps Rei Munisati ( Head of IT Security & Risk Compliance – Home Credit Indonesia )
  • 22. Let’s Get To Know Each Other Rei Munisati Head of IT Security & Risk Compliance @ Home Credit Indonesia Experienced in Banking, Insurance and Technology industries focusing on Information Security, Data Privacy, GRC, Third Party Security, Audit & Remediation Management roles.
  • 23. What is DevSecOps? The main objective of DevSecOps is to automate, monitor and apply security at all phases of the software lifecycle, i.e., plan, develop, build, test, release, deploy, operate and monitor. Applying security at every stage of the software development process enables continuous integration, reducing the cost of compliance and delivering software more rapidly
  • 24. DevSecOps: How important is it really? • Agile took us from months to days to deliver software • DevOps took us from months to minutes to deploy software • More applications are mission critical • Now security has become the bottleneck
  • 25. The Evolution of Security Tools Duration 2-4 weeks 1-2 weeks Continuous and Real-time Penetration Testing Tools • Port Scanners • Vulnerability Scanner • Exploitation Tools Audience • Security Professionals Secure SDLC Tools • Code Security Scanners • Dynamic Security Scanners • Vulnerability Scanners Audience • Security Professionals in Enterprise Security Teams DeVSecOps Tools • Code Security Scanners • Interactive Security Scanners • Runtime Application Self Protection Audience • Developers in Product Teams
  • 26. Phase of DevSecOps • Secret Scanning • Software Composition Analysis (SCA) • Static Analysis Security Testing (SAST) • Dynamic Analysis Security Testing (DAST) • Security in Infrastructure as Code • RunTime Application Self-Protection (RASP) • Vulnerability Management (VA) • Alert and Monitoring in Security For Starter in DevSecOps
  • 27. Secret Scanning • Sensitive information such as the access keys, access tokens, SSH keys, etc. • Work on pure Regex-based approach for filtering sensitive data Tools : 1. Detect-Secrets 2. Truffle Hog
  • 28. Software Composition Analysis • Software Composition Analysis (SCA) is an application security methodology for managing open-source components. • Disc over all related components, their supporting libraries, and their direct and indirect dependencies Tools : 1. Snyk ( All ) 2. Find-sec-bugs ( Java ) 3. RetireJS ( JavaScript / NodeJS ) 4. Bundler-audit ( Ruby ) 5. Bandit, safety ( Python )
  • 29. Static Analysis Security Testing • White-box security testing using automated tools • Useful for weeding out low-hanging fruits like SQL Injection, Cross-Site Scripting, insecure libraries, etc. • Needs manual oversight for managing false-positives Tools : SonarQube
  • 30. Dynamic Analysis Security Testing • Black/Grey-box security testing using automated tools • DAST will help in picking out deployment specific issues • Results from DAST and SAST can be compared to weed out false-positives “ We can use tools pentest but must support cmd and export file “ Tools : 1. Nmap 2. Nikto 3. SQLMap 4. Nessus 5. Burpsuite
  • 31. Security in Infrastructure Code • Infrastructure as a code allows you to document and version control the infra • It also allows you to perform audit on the infrastructure • Environment is as secure as the base image container • Hardening your server with automation ( Compliance as Code) Tools : 1. Ansible 2. Inspec 3. Clair 4. Anchore 5. Dockscan Infrastructure Code Image Scanning Hardening
  • 32. Vulnerability Management • A central dashboard is required to normalize the data • Vulnerability Management System can then be integrated to bug tracking system Tools : 1. Defect Dojo 2. Archery
  • 33. Alert and Monitoring Security Monitoring is needed for two end goals • Understand if our security controls are effective • What and where we need to improve "Detect, Mitigation ,and Maintain Continuous Security" Tools : 1. Grafana 2. elk 3. Dynatrace 4. Aqua Security 5. Imperva
  • 35. Inject Security in Process DevOps Pre-Commit Hooks IDE Plugins Developer Secrets Management Code Repository SAST SCA Pre-Build DAST Post-Build Manual Web Application Pentesting QA/Staging Sec in IaC Compliance as Code Alerting and Monitoring Production Build Artifact versioning against code commits Artifact Repository CI/CD Server V u l n e r a b i l i t y M a n a g e m e n t
  • 36. Sample Pipeline Build Artifactory Deploy Staging Setup Staging Deploy UAT Test PROD Setup PROD Deploy Approval PROD Deploy Start End DevOps Pipeline Build Artifactory Deploy SAST (Dependency Check) Stagin g Setup Staging Deploy UAT Test DAST PROD Setup INFRA Setup INFRA Scan Compliance Scan PROD Deploy Approval PROD Deploy WAF Deploy Start End DevSecOps Pipeline
  • 37. Benefits & Conclusions ✔ Integrate Security via Tools ✔ Security as Code ✔ Faster Release Cycles ✔ Prevent Security Bugs in PROD ✔ Shorter Feedback Cycle Developer Secret Management Pre-Build Post-Build Deploy Test Deploy PROD Pre-Commit H. SCA SAST DAST Security in IAC