John Willis, profile picture
Uploaded byJohn Willis
PDF, PPTX801 views

You build it - Cyber Chicago Keynote

This document provides an introduction to DevSecOps practices. It discusses how DevOps aims to accelerate software delivery through practices like continuous delivery, automation, and removing silos. It notes that security has become the new bottleneck in software delivery. DevSecOps aims to integrate security practices and tools into the software development pipeline to shift security left. This allows security to be addressed continuously throughout development and deployment rather than as a separate phase. The document outlines some DevSecOps basics like security training, threat modeling, and integrating static code analysis and vulnerability scanning into the CI/CD pipeline.

Embed presentation

Download as PDF, PPTX
“You Build It, You Secure It” Introduction to DevSecOps
https://github.com/botchagalupe/my-presentations
DTO Solutions Shift Left, Accelerate Right!
Devops is about Humans 5 Devops is a set of practices and patterns that turn human capital into high performance organizational capital.
Devops Practices and Patterns • Continuous Delivery • Everything in version control • Small batch principle • Trunk based deployments • Manage flow (WIP) • Automate everything
 • Culture • Everyone is responsible • Done means released • Stop the line when it breaks • Remove silos6 itrevolution.com/devops-handbook
Fast CheapGood “Pick Two!” Conventional Wisdom
Fast CheapGood “Pick Two!” Conventional Wisdom
DevOps ResilienceSpeed “Must Have All Three!” New Triangle
Devops Automated Deployment Pipeline 10 Source: Wikipedia - Continuous Delivery
12 Devops Results Google • Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree • Over 75M test cases run daily
13 Devops Results Google • Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree • Over 75M test cases run daily 2016 150 Million automated tests run daily…
14 Unicorns and Horses (Enterprises) Unicorns Enterprise Shamelessly stolen and repurposed from: Pete Cheslock
15 Devops Results Enterprise Organizations • Ticketmaster - 98% reduction in MTTR • Nordstrom - 20% shorter Lead Time • Target - Full Stack Deploy 3 months to minutes • USAA - Release from 28 days to 7 days • ING - 500 applications teams doing devops • CSG - From 200 incidents per release to 18
Dev : Ops 10 : 1
Dev : Ops : Sec 100 : 10 : 1 SEC ^
20 Summary • Agile took us from months to days to deliver software • Devops took from months to days to deploy software • Now security is the bottleneck • People….
21 Bill Bryson - A Short History of Nearly Everything
22 Security Meta Points • It’s 30 time cheaper to fix a security defect in Dev vs. Prod • Average data break incident cost 5.4 million • High performing organizations include security in the software delivery process • 80% to 90% of every modern application consists of open source components • Not all vulnerabilities can be scanned
23
24
DevSecOps as Supply Chain? 27 Source: Wikipedia - Continuous Delivery
DevSecOps ResilienceSpeed “Must Have All Three!” New Triangle
DevSecOps Requirements & Design Development CI Interval Trigger Assessment Production Application Risk Classification Security Requirement Definition Secure Libraries Static Analysis/IDE SCM Open Source Governance(CI) Secure Coding Standards Perimeter Assessment Dynamic Assessments Threat-Based Pen Test Web Application Firewalls Automated Attack/ Bot Defense Container Security Management Security Mavens (Security-Trained Developers and Operations) Role Based Software Security Training Continuous Monitoring, Analytics and KPI Gathering Preventative Detective Container Security Compliance (CI) Threat modeling Static Analysis (CI) Implementing DevOps in a Regulated Environment
Software Supply Chain 30 Delivery Team Version Control Build Test Release DevOps Example Stage Prod
Software Supply Chain 31 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod
32 Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod DevSecOps Basics Security Training Security Requirements Threat Modeling Architecture Review OWASP Top 10 IDE Plugins Code Examples TDD for Security Fail the Build Static Code Analysis Security Policy Testing Configuration Analysis Vulnerability Scanning Code and App Analysis RASP Automated Pen Testing Static Code Analysis Security Policy Testing Configuration Analysis Security Monitoring
 Configuration Monitoring
33 More Security Meta Points • Have security create templates, recipes, playbook • Create a Wiki for Security • All Issues managed in a common issue system • Create a Github Repo for OWASP code examples • Create interactive visual environments for security • Visualize all the things…. • A bug is a bug is a bug….
34 DevSecOps and Cloud Configuration • IAM and resource policies (S3 Bucket, SQS, etc.) • Permissive policies (e.g. wildcards) • Security Group ingress and egress rules • Liberal rules (e.g. 0.0.0.0/0, port range 1-65535 is open) • Encryption • Encryption that is not enabled or enforced for applicable resources • Automatic Key Rotation • KMS keys that don't have rotation enabled, • Invalid SSL configurations • ELBs with invalid SSL configurations
35 DevSecOps and Containers • Base Image Policies • Signed images • Capabilities policies • Vulnerability Image Scans • Port and Link Policies • Secrets Management
36 DevSecOps and Serverless • OWASP top 10 are still relevant • Proper Permissions • Data, Keys and Secrets • Still can have vulnerable code dependancies
Best Practices for DevSecOps • Train development teams to develop secure code • Track security issues the same as software issues • If infrastructure is now code, then security should be code. • Integrate security controls in the software pipeline • Automate security test in the build process • Detect known vulnerabilities during the pipeline • Monitor security in production for known states • Inject failure to ensure security is hardened Gene Kim, Jez Humble, Patrick Dubois, and John Willis. 
 The DevOps Handbook; It Revolution Press, LLC.;2016.
Devops Kaizen - Full Life Cycle 1.Key Outcomes 2.Countermeasures 3.Storyboard 4.Kanban Board 5.Post Retrospective 1 2 3 4 5
•Devops Kaizen
 •DevSecOps Workshops •Devops Assessments •Devops Full Retrospective •Dojo Coaching
41 Bonus Material
42 Immutable Service Delivery Fortune 500 Insurance Company • Tracks critical and high security defect rate per 10k lines of code • Started out with (10/10k) • After applying Devops practices and principles (4/10k) • After applying Toyota Supply Chain 4VL (1/10k ) • After Docker with Immutable Delivery (0.1/10k)
43 With Docker Fortune 500 Insurance Company • One Service • One Container • One Read Only File System • One Port

More Related Content

PDF
Devops Kaizen - DevopsDays Dallas 2017
byJohn Willis
 
PPTX
Shifting left – embedding security into the devops pipeline by Mike d. Kail
byDevSecCon
 
PPTX
Scaling Your Architecture for the Long Term
byRandy Shoup
 
PPTX
DevSecOps - London Gathering : June 2018
byMichael Man
 
PPTX
Evolving Architecture and Organization - Lessons from Google and eBay
byRandy Shoup
 
PPTX
Service Architectures At Scale - QCon London 2015
byRandy Shoup
 
PDF
Art of the Possible - Serverless Conference NYC 2017
byJohn Willis
 
PDF
A Secure DevOps Journey
bySonatype
 
Devops Kaizen - DevopsDays Dallas 2017
byJohn Willis
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
byDevSecCon
 
Scaling Your Architecture for the Long Term
byRandy Shoup
 
DevSecOps - London Gathering : June 2018
byMichael Man
 
Evolving Architecture and Organization - Lessons from Google and eBay
byRandy Shoup
 
Service Architectures At Scale - QCon London 2015
byRandy Shoup
 
Art of the Possible - Serverless Conference NYC 2017
byJohn Willis
 
A Secure DevOps Journey
bySonatype
 

What's hot

PPTX
SecDevOps: The New Black of IT
byCloudPassage
 
PPTX
Managing Data in Microservices
byRandy Shoup
 
PDF
Devops, Secops, Opsec, DevSec *ops *.* ?
byKris Buytaert
 
PPTX
Monoliths, Migrations, and Microservices
byRandy Shoup
 
PPTX
Scaling Your Architecture with Services and Events
byRandy Shoup
 
PPTX
Learning from Learnings: Anatomy of Three Incidents
byRandy Shoup
 
PPTX
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
byDevOps_Fest
 
PPTX
Best Practices for Database Deployments
byRed Gate Software
 
PDF
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
by.NET Conf UY
 
PDF
Ast in CI/CD by Ofer Maor
byDevSecCon
 
PDF
Untangling Continuous Delivery
byPerforce
 
PDF
Why Your Next QA Job Might Be in Ops
byEdward Rousseau
 
PDF
NodeJS security - still unsafe at most speeds - v1.0
byDinis Cruz
 
PPTX
Carl shaulis agile_td2014
byCarl Shaulis
 
PPTX
Road to Continuous Delivery - Wix.com
byAviran Mordo
 
PPTX
Service Architectures at Scale
byRandy Shoup
 
PDF
Demystifying DevOps
byDr. Tathagat Varma
 
PPTX
DevOps for CTOs
byBurke Autrey
 
PPTX
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
byGene Kim
 
PPTX
Lessons Learned Monitoring Production
byAviran Mordo
 
SecDevOps: The New Black of IT
byCloudPassage
 
Managing Data in Microservices
byRandy Shoup
 
Devops, Secops, Opsec, DevSec *ops *.* ?
byKris Buytaert
 
Monoliths, Migrations, and Microservices
byRandy Shoup
 
Scaling Your Architecture with Services and Events
byRandy Shoup
 
Learning from Learnings: Anatomy of Three Incidents
byRandy Shoup
 
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
byDevOps_Fest
 
Best Practices for Database Deployments
byRed Gate Software
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
by.NET Conf UY
 
Ast in CI/CD by Ofer Maor
byDevSecCon
 
Untangling Continuous Delivery
byPerforce
 
Why Your Next QA Job Might Be in Ops
byEdward Rousseau
 
NodeJS security - still unsafe at most speeds - v1.0
byDinis Cruz
 
Carl shaulis agile_td2014
byCarl Shaulis
 
Road to Continuous Delivery - Wix.com
byAviran Mordo
 
Service Architectures at Scale
byRandy Shoup
 
Demystifying DevOps
byDr. Tathagat Varma
 
DevOps for CTOs
byBurke Autrey
 
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
byGene Kim
 
Lessons Learned Monitoring Production
byAviran Mordo
 

Similar to You build it - Cyber Chicago Keynote

PPTX
Devops
bypenetration Tester
 
PDF
DevOps 101 - DevOps Columbia 3-20-2025.pdf
byjudy (fink) johnson
 
PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PPTX
DevOps Torino Meetup Group Kickoff Meeting - Why a meetup group on DevOps, wh...
byRauno De Pasquale
 
PDF
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
PPTX
What is devsecops and what is the characteristics of it
byamalsalah25
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
PPTX
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PDF
Divine and felonios cyber security devopsdays austin 2018
byJohn Willis
 
PPTX
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
PPTX
DevOps DevSecOps Based on Training Materials
byRifqiMultazamOfficia
 
PDF
Devops - why, what and how?
byMalinda Kapuruge
 
PDF
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
PDF
Scale security for a dollar or less
byMohammed A. Imran
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
PPTX
DevOps State of the Union 2015
byErnest Mueller
 
PPTX
AICT_presentation.pptx
byAbdullahMalik486262
 
Devops
bypenetration Tester
 
DevOps 101 - DevOps Columbia 3-20-2025.pdf
byjudy (fink) johnson
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
DevOps Torino Meetup Group Kickoff Meeting - Why a meetup group on DevOps, wh...
byRauno De Pasquale
 
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
What is devsecops and what is the characteristics of it
byamalsalah25
 
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
Secure DevOps - Evolution or Revolution?
bySecurity Innovation
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
Divine and felonios cyber security devopsdays austin 2018
byJohn Willis
 
Introduction to DevSecOps OWASP Ahmedabad
bykunwaratul hax0r
 
DevOps DevSecOps Based on Training Materials
byRifqiMultazamOfficia
 
Devops - why, what and how?
byMalinda Kapuruge
 
Strengthen and Scale Security for a dollar or less
byMohammed A. Imran
 
Scale security for a dollar or less
byMohammed A. Imran
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
byMohammed A. Imran
 
DevOps State of the Union 2015
byErnest Mueller
 
AICT_presentation.pptx
byAbdullahMalik486262
 

More from John Willis

PDF
Automated Governance
byJohn Willis
 
PDF
I Got 99 Problems and a Bash DSL Ain't One of Them
byJohn Willis
 
PDF
Math is cool
byJohn Willis
 
PDF
Devops Long Strange Trip
byJohn Willis
 
PDF
Evolve 2017 - Vegas - Devops, Docker and Security
byJohn Willis
 
PDF
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
byJohn Willis
 
PDF
Immutable Service Delivery Shenzhen 2016
byJohn Willis
 
PDF
Dockercon USA 2016 - Immutable Awesomeness
byJohn Willis
 
PDF
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
byJohn Willis
 
PDF
Turning Human Capital into High Performance Organizational Capital
byJohn Willis
 
PDF
Alibaba Cloud Conference 2016 - Docker Open Source
byJohn Willis
 
PDF
Alibaba Cloud Conference 2016 - Docker Enterprise
byJohn Willis
 
PDF
DOES16 London - Better Faster Cheaper .. How?
byJohn Willis
 
PDF
The 7 deadly diseases of DevOps 2019
byJohn Willis
 
PDF
Next Generation Infrastructure - Devops Enterprise Summit 2018
byJohn Willis
 
PDF
Why Executives Can't Change
byJohn Willis
 
PDF
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
byJohn Willis
 
PDF
Breaking Bad Equilibrium - Devops Connect 2016 LA
byJohn Willis
 
PDF
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
byJohn Willis
 
PDF
Devops - A Long Strange Trip It's Been
byJohn Willis
 
Automated Governance
byJohn Willis
 
I Got 99 Problems and a Bash DSL Ain't One of Them
byJohn Willis
 
Math is cool
byJohn Willis
 
Devops Long Strange Trip
byJohn Willis
 
Evolve 2017 - Vegas - Devops, Docker and Security
byJohn Willis
 
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
byJohn Willis
 
Immutable Service Delivery Shenzhen 2016
byJohn Willis
 
Dockercon USA 2016 - Immutable Awesomeness
byJohn Willis
 
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
byJohn Willis
 
Turning Human Capital into High Performance Organizational Capital
byJohn Willis
 
Alibaba Cloud Conference 2016 - Docker Open Source
byJohn Willis
 
Alibaba Cloud Conference 2016 - Docker Enterprise
byJohn Willis
 
DOES16 London - Better Faster Cheaper .. How?
byJohn Willis
 
The 7 deadly diseases of DevOps 2019
byJohn Willis
 
Next Generation Infrastructure - Devops Enterprise Summit 2018
byJohn Willis
 
Why Executives Can't Change
byJohn Willis
 
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
byJohn Willis
 
Breaking Bad Equilibrium - Devops Connect 2016 LA
byJohn Willis
 
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
byJohn Willis
 
Devops - A Long Strange Trip It's Been
byJohn Willis
 

Recently uploaded

PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PPTX
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
How to Evaluate a High Performance Database
byScyllaDB
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
API-First Architecture in Financial Systems
bycyy111112
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 

You build it - Cyber Chicago Keynote

  • 1.
    “You Build It,You Secure It” Introduction to DevSecOps
  • 2.
  • 4.
    DTO Solutions Shift Left,Accelerate Right!
  • 5.
    Devops is aboutHumans 5 Devops is a set of practices and patterns that turn human capital into high performance organizational capital.
  • 6.
    Devops Practices andPatterns • Continuous Delivery • Everything in version control • Small batch principle • Trunk based deployments • Manage flow (WIP) • Automate everything
 • Culture • Everyone is responsible • Done means released • Stop the line when it breaks • Remove silos6 itrevolution.com/devops-handbook
  • 7.
  • 8.
  • 9.
  • 10.
    Devops Automated DeploymentPipeline 10 Source: Wikipedia - Continuous Delivery
  • 12.
    12 Devops Results Google • Over15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree • Over 75M test cases run daily
  • 13.
    13 Devops Results Google • Over15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree • Over 75M test cases run daily 2016 150 Million automated tests run daily…
  • 14.
    14 Unicorns and Horses(Enterprises) Unicorns Enterprise Shamelessly stolen and repurposed from: Pete Cheslock
  • 15.
    15 Devops Results Enterprise Organizations •Ticketmaster - 98% reduction in MTTR • Nordstrom - 20% shorter Lead Time • Target - Full Stack Deploy 3 months to minutes • USAA - Release from 28 days to 7 days • ING - 500 applications teams doing devops • CSG - From 200 incidents per release to 18
  • 17.
  • 19.
    Dev : Ops: Sec 100 : 10 : 1 SEC ^
  • 20.
    20 Summary • Agile tookus from months to days to deliver software • Devops took from months to days to deploy software • Now security is the bottleneck • People….
  • 21.
    21 Bill Bryson -A Short History of Nearly Everything
  • 22.
    22 Security Meta Points •It’s 30 time cheaper to fix a security defect in Dev vs. Prod • Average data break incident cost 5.4 million • High performing organizations include security in the software delivery process • 80% to 90% of every modern application consists of open source components • Not all vulnerabilities can be scanned
  • 23.
  • 24.
  • 27.
    DevSecOps as SupplyChain? 27 Source: Wikipedia - Continuous Delivery
  • 28.
  • 29.
    DevSecOps Requirements & Design Development CI Interval Trigger Assessment Production ApplicationRisk Classification Security Requirement Definition Secure Libraries Static Analysis/IDE SCM Open Source Governance(CI) Secure Coding Standards Perimeter Assessment Dynamic Assessments Threat-Based Pen Test Web Application Firewalls Automated Attack/ Bot Defense Container Security Management Security Mavens (Security-Trained Developers and Operations) Role Based Software Security Training Continuous Monitoring, Analytics and KPI Gathering Preventative Detective Container Security Compliance (CI) Threat modeling Static Analysis (CI) Implementing DevOps in a Regulated Environment
  • 30.
  • 31.
    Software Supply Chain 31 Delivery Team Version Control BuildTest Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod
  • 32.
    32 Delivery Team Version Control Build Test Release DevSecOpsExample Stage Prod DevSecOps Basics Security Training Security Requirements Threat Modeling Architecture Review OWASP Top 10 IDE Plugins Code Examples TDD for Security Fail the Build Static Code Analysis Security Policy Testing Configuration Analysis Vulnerability Scanning Code and App Analysis RASP Automated Pen Testing Static Code Analysis Security Policy Testing Configuration Analysis Security Monitoring
 Configuration Monitoring
  • 33.
    33 More Security MetaPoints • Have security create templates, recipes, playbook • Create a Wiki for Security • All Issues managed in a common issue system • Create a Github Repo for OWASP code examples • Create interactive visual environments for security • Visualize all the things…. • A bug is a bug is a bug….
  • 34.
    34 DevSecOps and CloudConfiguration • IAM and resource policies (S3 Bucket, SQS, etc.) • Permissive policies (e.g. wildcards) • Security Group ingress and egress rules • Liberal rules (e.g. 0.0.0.0/0, port range 1-65535 is open) • Encryption • Encryption that is not enabled or enforced for applicable resources • Automatic Key Rotation • KMS keys that don't have rotation enabled, • Invalid SSL configurations • ELBs with invalid SSL configurations
  • 35.
    35 DevSecOps and Containers •Base Image Policies • Signed images • Capabilities policies • Vulnerability Image Scans • Port and Link Policies • Secrets Management
  • 36.
    36 DevSecOps and Serverless •OWASP top 10 are still relevant • Proper Permissions • Data, Keys and Secrets • Still can have vulnerable code dependancies
  • 38.
    Best Practices forDevSecOps • Train development teams to develop secure code • Track security issues the same as software issues • If infrastructure is now code, then security should be code. • Integrate security controls in the software pipeline • Automate security test in the build process • Detect known vulnerabilities during the pipeline • Monitor security in production for known states • Inject failure to ensure security is hardened Gene Kim, Jez Humble, Patrick Dubois, and John Willis. 
 The DevOps Handbook; It Revolution Press, LLC.;2016.
  • 39.
    Devops Kaizen -Full Life Cycle 1.Key Outcomes 2.Countermeasures 3.Storyboard 4.Kanban Board 5.Post Retrospective 1 2 3 4 5
  • 40.
    •Devops Kaizen
 •DevSecOps Workshops •DevopsAssessments •Devops Full Retrospective •Dojo Coaching
  • 41.
  • 42.
    42 Immutable Service Delivery Fortune500 Insurance Company • Tracks critical and high security defect rate per 10k lines of code • Started out with (10/10k) • After applying Devops practices and principles (4/10k) • After applying Toyota Supply Chain 4VL (1/10k ) • After Docker with Immutable Delivery (0.1/10k)
  • 43.
    43 With Docker Fortune 500Insurance Company • One Service • One Container • One Read Only File System • One Port