The document discusses the principles and practices of DevSecOps, emphasizing the integration of security in the software delivery process to enhance both safety and speed. It highlights best practices for secure coding, tracking security issues, and automating security tests within pipelines, alongside challenges faced in modern infrastructure and cyber security. A call to action invites participation in hands-on workshops aimed at optimizing delivery speed and security.

1. © Electric Cloud | electric-cloud.com
You Build It, You Secure It
Higher Velocity and Better Security with DevSecOps

2. © Electric Cloud | electric-cloud.com
The Topic
DevSecOps practices promote building
security and quality into the software
delivery process.
Join us we share tips to make security the
path of least resistance, enabling developers
and operators to increase delivery velocity
while improving compliance over time.

3. © Electric Cloud | electric-cloud.com
The Speakers
John Willis
VP SJTech
@botchagalupe
Anders Wallgren
CTO, Electric Cloud
@anders_wallgren

4. © Electric Cloud | electric-cloud.com
John Willis

5. Introduction to DevSecOps
John Willis
@botchagalupe
@botchagalupe

6. @botchagalupe

7. @botchagalupe

8. Infecting
@botchagalupe

9. You Build It, You Secure It
@botchagalupe

10. Sonatype@botchagalupe

11. • Discovered 3/6/2017
• Announced 3/9/2017
• CVE created 3/10/2017
• Equifax discovers 7/2017
• Equifax announced 9/2017
Anatomy of CVE-2017-5638
@botchagalupe

12. • Discovered - 3/9/2017
• Action - 3/10/2017
• Remediation - 3/14/2017
Anatomy of CVE-2017-5638
@botchagalupe

13. • As of fall 2017 (3,054) organizations downloaded the exact
version of Struts2 that was publicly disclosed as vulnerable on
3/10/17 and subsequently exploited at Equifax between 5/17-
9/17.
• As of fall 2017 (46,557) organizations downloaded a version of
Struts and/or its sub projects with known vulnerabilities despite
perfectly safe versions being available.
Data derived from Sonatype’s 2017 Software Supply Chain Report
Anatomy of CVE-2017-5638
@botchagalupe

14. Anatomy of CVE-2017-8046
(Fool Me Once)
• Published 9/21/17
• CVE created 01/04/2018
• Discovered 2/18/17
• Corrected 3/6/18
@botchagalupe

15. • For the 5 months prior to the September 2017 disclosure,
developers downloaded the affected Spring components
411,046 times while they were believed to be good.
• In the 5 months after the September 2017 disclosure, developers
downloaded the affected Spring components which were then
known to be vulnerable 367,351 times. Only an 11% dip.
Data derived from Sonatype’s 2017 Software Supply Chain Report
Anatomy of CVE-2017-8046
(Fool Me Once)
@botchagalupe

16. DevOps à DevSecOps as Supply Chain?
Source: Wikipedia - Continuous Delivery
@botchagalupe

17. Software Supply Chain
Delivery
Team
Version
Control
Build Test Release
DevOps Example
Stage
Prod
@botchagalupe
Pipeline Orchestration

18. Software Supply Chain
Delivery
Team
Version
Control
Build Test Release
DevSecOps additions…
Stage
Prod
DevOps Example
Pipeline Orchestration
@botchagalupe

19. The Felonious Nature of Cyber Security
@botchagalupe

20. Security and the Goldilocks Zone
• The fallacious nature of cyber security relates
to the standard legacy security model
specifically on the idea of perimeter security.
• This concept involves the implementation of a
stateful firewall at a routed point within the
network that very rarely gets looked at unless
an operational change is required.
• The problem with having only premier security
is that applications have changed
significantly in the last ten years and the
infrastructure they run upon is playing by the
same old rules.
@botchagalupe

21. @botchagalupe
The New Goldilocks Zone
(DevSecOps)
Delivery
Team
Version
Control
Build Test Release
DevSecOps additions…
Stage
Prod
DevOps Example
Secure Pipeline Orchestration
Security Training
Security Requirements
Threat Modeling
Architecture Review
OWASP Top 10
IDE Plugins, Code Examples
Fail the Build
Static Code Analysis
Security Policy Testing
Configuration Analysis
Vulnerability Scanning
Code and App Analysis
Automated Pen Testing
Static Code Analysis
Security Policy Testing
Configuration Analysis
Security Monitoring
Configuration Monitoring

22. Implementing DevOps in a Regulated Environment
Requirements
& Design
Development CI
Interval
Trigger
Assessment
Production
Application Risk
Classification
Security Requirement
Definition
Secure Libraries
Static Analysis/IDE
SCM
Open Source
Governance(CI)
Secure Coding
Standards
Perimeter
Assessment
Dynamic
Assessments
Threat-Based Pen
Test
Web Application
Firewalls
Automated
Attack/Bot Defense
Container Security
Management
Security Mavens (Security-Trained Developers and Operations)
Role Based Software Security Training
Continuous Monitoring, Analytics and KPI Gathering
Preventative Detective
Container Security
Compliance (CI)
Threat modeling
Static Analysis (CI)
@botchagalupe

23. @botchagalupe

24. Best Practices for DevSecOps
• Train development teams to develop secure code
• Track security issues the same as software issues
• If infrastructure is now code, then security should be code.
• Integrate security controls in the software pipeline
• Automate security test in the build process
• Detect known vulnerabilities during the pipeline
• Monitor security in production for known states
• Inject failure to ensure security is hardened
Gene Kim, Jez Humble, Patrick Dubois, and John Willis.
The DevOps Handbook; It Revolution Press, LLC.;2016.
@botchagalupe

25. © Electric Cloud | electric-cloud.com
Adaptive Release Orchestration
How an agile pipeline keeps your applications safe and secure

26. © Electric Cloud | electric-cloud.com
Requirements for Secure
Pipeline Orchestration
/ @electriccloud

27. The New Goldilocks Zone
(DevSecOps)
Delivery
Team
Version
Control
Build Test Release
DevSecOps additions…
Stage
Prod
DevOps Example
Secure Pipeline Orchestration
Remember this?
How
do you
get there?
Model and Automate
Everything
Provide Environments and
Automation as a Service
Adopt New Technologies
Safely
Monitor and Track Releases Build-In Security and
Compliance

28. © Electric Cloud | electric-cloud.com
Model and Automate Everything
• Extendable models are easy to version, test,
refactor, enhance
• No need to re-invent the wheel because
models are repeatable, auditable, and
manageable
• Eliminate drift and unplanned work and
heroic efforts because standard practices are
used every time
• Separation of duties is the norm because
best practices are standardized for each and
every release.

29. © Electric Cloud | electric-cloud.com
Monitor and Track Releases
• Dashboards, tailored for each stakeholder,
provide at-a-glance understanding of the
health of your release.
• Manage more easily with data and metrics
from all sources that are automatically
correlated and readily available.
• Improve collaboration and alignment
because all teams see the same metrics and
release status.
• Problems and bottlenecks are quickly
identified and resolved

30. © Electric Cloud | electric-cloud.com
Provide Environments and Automation as a Service
• Rapidly onboard new teams, pipelines, and
applications because reusing is always faster
than starting from scratch every time.
• Standardization ensures what is presented
at each stage is exactly what’s expected
• Flexibility makes experimentation easy
because team members start with what they
know and make changes as they support
new use cases
• Governance is a breeze because reusable
components and automatic audit trails
easily meet compliance and regulatory
needs

31. © Electric Cloud | electric-cloud.com
Build-In Security and Compliance
• Automatically enforce policies with
anomaly/drift detection, automated or
manual approval gates, compliance checks,
security tests, and fine-grained ACLs.
• Shift-left security and compliance as an
integral part of the pipeline, so it’s doesn’t
become a bottleneck at the last moment.
• Enable one-click auditability, including
built-in versioning and logging of all objects.
• Accelerate incident response time and
security patching across hybrid
environments, with 360’ view of exposure
radius and release progress.

32. © Electric Cloud | electric-cloud.com
Adopt New Technologies Safely
• Ops can be the team that says “YES!” to
new technologies, in a safe and
operationalized way.
• Take the “rocket science” and steep
learning curve out of supporting new
technologies and their APIs. Give Ops the
confidence to deploy and consistently
maintain new technologies, without anxiety.
• Future proof your organization: adopt new
technologies and support change in a non-
disruptive way.
• Ensure consistency and reusability of
everything, across new and existing
architectures, technologies, and processes.

33. © Electric Cloud | electric-cloud.com
ElectricFlow Community Edition!
Adaptive Release Orchestration
Securely orchestrate release pipelines
and automate deployments to eliminate
risk and boost productivity, predictability,
and quality.
Download and use free:
electric-cloud.com/electricflow
DOW
NLOAD
&
USE
FREE

34. © Electric Cloud | electric-cloud.com
Want to learn more?

35. © Electric Cloud | electric-cloud.com
YOUSECUREIT
A one-day, hands-on technical workshop
with John Willis.
Learn how to deliver faster
with better security with DevSecOps.
John Willis
VP SJTech
@botchagalupe
Presented by
YOUBUILDIT,
Join us immediately following DevOps Enterprise Summit
US: JUNE 27 @ InterContinental London – The O2
UK: OCT 25 @ The Cosmopolitan of Las Vegas

36. © Electric Cloud | electric-cloud.com
Thank you
Q&A