Learning the lessons from how the development and operations teams joined their forces together mobilizing themselves under a common DevOps umbrella, security teams don't want to stay behind. They see it as a chance to get more involved at each step of the software development in the Agile fashion. Hence DevSecOps approach, closing the gap between the security teams and the rest of the engineering organization. In my talk I will show the examples of how DevSecOps can lead to a faster feedback loop related to the security issues in the software you are developing. Furthermore, I will explain how to transform your Agile Software Development practices to leverage this new DevSecOps approach and thanks to that produce code with much less security vulnerabilities. But what after you have embraced this new practice? What will be the next “Holy Grail” of software development? I will try to put my Captain Kirk suit and try to see what is laying at the edges of the DevSecOps galaxy.

1. To boldly go where no one has gone before
Life after the DevSecOps transformation 🚀👨‍🚀
j-labs software specialists | Cracow | Warsaw | Munich j-labs.pl blog.j-labs.pl talk4devs.j-labs.pl
Kuba Sendor
Delivery Manager @ j-labs

2. 2Agenda
1.A brief history of where DevSecOps came from
2.So what DevSecOps really is?
3.To boldly go: transition into DevSecOps
Image source: omado.ca

3. 3Brief intro
since 2019: Delivery Manager, j-labs in Kraków
2010-2014: Security & Trust Research,
SAP Labs France in Sophia-Antipolis
2014-2018: Corporate Security, Yelp in London
and San Francisco
Jakub „Kuba” Sendor

4. przejście
A brief history of
DevSecOps

5. 5Waterfall approach
Requirements
Design
Implementation
Verification
Maintenance
Security :(
perhaps someone thought about security here
but usually it was here

6. 6Secure Software Development Lifecycle
Source: microsoft.com

7. 7Agile
PLAN
DESIGN
DEVELOPTEST
RELEASE
FEEDBACK

8. 8DevOps
Source: craftware.pl

9. 9DevSecOps
Source: omado.ca

10. 10DevSecOps – The Final Frontier?
Source: brisazdevops.org

11. przejście
Why do we need
DevSecOps?

12. 12DevSecOps Manifesto
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Source: devsecops.org

13. 13DevSecOps Manifesto
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Source: devsecops.org

14. Source: cnbc.com

15. przejście
So what DevSecOps
really is?

16. 16The Six Pillars of DevSecOps – Cloud Security Alliance
Pillar 1: Collective Responsibility
Pillar 2: Collaboration and Integration
Pillar 3: Pragmatic Implementation
Pillar 4: Bridging Compliance and Development
Pillar 5: Automation
Pillar 6: Measure, Monitor, Report and Action
Source: cloudsecurityalliance.org

17. 17Collective Responsibility
Security as a first-class citizen
• Board-level interest in your organization
• CISO – Chief Information Security Officer
Source: linkedin.com

18. 18Collective Responsibility
Awareness and education
• Awareness training for everyone
• Specific training for specific roles
Source: owasp.org

19. 19Collective Responsibility
Everyone is responsible
• Executives
• Non-technical roles

20. 20Collaboration and Integration
Security as an enabler rather than a blocker
Source: cnet.com

21. 21Collaboration and Integration
Threat modeling
• Identify the threats early and often
• Don’t overthink it!
Source: owasp.org

22. 22Pragmatic Implementation
• Not all of the tools and approaches maybe
suitable
• Start small and build on top of that

23. 23Bridging Compliance and Development
• Security by design
• Architecture reviews
• Code audits

24. 24Automation
• Right tools
• Integration with your existing tools
• Process automation

25. 25Measure, Monitor, Report and Action
• Deployment frequency
• Vulnerability patch time
• Test coverage

26. przejście
Journey to
DevSecOps

27. 27
Start small –
iterate fast
Journey to DevSecOps
Get the right tools
Be inclusive and
involve everybody
Measure and don’t be
afraid of course
correction

28. 28Start small – iterate fast
Education
• Awareness training
• Security conferences
Threat modeling
• You already know how to do it!

29. 29Elevation of Privilege Card Game
Source: agilestationery.co.uk

30. Source: owasp.org

31. Source: amazon.com

32. 32Be inclusive and involve everybody
• „Security Heroes”
• Dedicated people in each
team/department
• Fun activities
• Hacktober

33. Source: facebook.com

34. Source: cybersecuritymonth.eu

35. 35Get the right tools
• Incident Response
• Security Incident and Event
Management
• Threat Hunting
the list goes on and on...

36. 36DevSecOps Manifesto
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Source: devsecops.org

37. Source: elastic.co

38. https://engineeringblog.yelp.com/2015/10/elastalert-alerting-at-scale-with-elasticsearch.html

39. https://www.splunk.com/en_us/blog/security/hunting-with-splunk-the-basics.html

40. https://www.crowdstrike.com/epp-101/threat-hunting/

41. Source: zeek.org

42. 42Measure and don’t be afraid of course correction
• Measure
• Vulnerabilities detected
• Number of incidents
• Mean time to respond
• Retrospect
• Take action!

43. 43
Start small
In summary
Plan and act
Educate everyone
Actually
nothing new...

44. 44Thank you!
Jakub „Kuba” Sendor
Delivery Manager
jakub.sendor@j-labs.pl
Luise-Ullrich-Straße 20
80636 München
ul. Zabłocie 43a
30-701 Kraków
al. Armii Ludowej 26
00-609 Warszawa
j-labs.pl
blog.j-labs.pl
talk4devs.j-labs.pl