SlideShare a Scribd company logo

Découvrez le Rugged DevOps

Download as PPTX, PDF
Talent Agile @ Avanade
Talent Agile @ Avanade

Retrouvez les slides du Petit déjeuner « Découvrez le Rugged DevOps » organisé le 15 juin chez Microsoft.

Technology
1 of 46
©2017 Avanade Inc. All Rights Reserved.©2017 Avanade Inc. All Rights Reserved.
A road to DevSecOps : Rugged DevOps Pierre-Henri Gache Guillaume Oudill Michel Perfetti Georges Rodrigues Sophie Tonnoir
Avanade GALLIA TC Security
©2017 Avanade Inc. All Rights Reserved. Security… a challenge to enable Digital & Cloud With Cloud and Digital initiatives at the heart of today’s IT landscape, new risks and threats bring an evolution in the way security must be addressed. • How to facilitate users’ experience and protect my IT assets? • How can I prevent threats of data loss, data leakage or misusage ? • Does it meet Industry & Regulation Compliance criteria (PCI DSS, SOX, Solvency, GDPR) ? • Can we monitor Access Control (Identities, mobility, APIs, CSPs) ? • How can I protect my most valuable asset: the information/data? • … Protecting Information Cloud Many concerns & questions Digital Securing Application & Infrastructure Managing Identity & Access Avanade answers Aim Securing Endpoint
©2017 Avanade Inc. All Rights Reserved. • Because security is at the heart of today’s IT revolution, we aim at combining best of both world to provide our customer the best experience in securing their IT infrastructure. We provide the ability to carry out business-driven initiatives while addressing security as a business enabler at the users, infrastructure and applications level. In a nutshell Workforce & experience • Security expertise in Identity & Access Management, Infrastructure Security and Data Protection • Certified consultants on security solutions Various technologies Security domains • Authentication, SSO and cloud enablement • AD & O365 Security • DevSecOps • Privileged Accounts • Identity Governance • CASBs Our engagements  Consulting  Transformation ( Design / Build )  Managed Services (Run)  Fixed Price and T&M  Buy&resell • More than 29 000 collaborators • 800+ customers worldwide • 70+ locations in 23 countries • 95% Customer Sat rating
Avanade GALLIA TC Agile & DevOps coaching
©2017 Avanade Inc. All Rights Reserved. talentagile.com
Rugged DevOps Sophie TONNOIR Georges RODRIGUES
©2017 Avanade Inc. All Rights Reserved. Software is eating up the world
©2017 Avanade Inc. All Rights Reserved. AppSec 2015-2017 Attacks increased 25% US Office of Personnel Management 19,7 Tesco Bank 40,00 0 accounts Vodafone 200 0 customer Carphone Warehouse 2,5 M customer Charlie Hebdo 19,0 00 website s Russian Cyber Attack On France Electi
©2017 Avanade Inc. All Rights Reserved. Software Design : how much of my software is actually mine? 80% 20% open source Custom 80% of your applications …are open source * Data based on maven central repository, by Sonatype
©2017 Avanade Inc. All Rights Reserved. Microsoft is changing Microsoft is embracing the open source!
©2017 Avanade Inc. All Rights Reserved. Did you know using the following tools makes your code vulnerable ? Those are just few examples, different versions could generate even worth… EntLib 4.1 : CVE-2009-3275, CVE-2015-2264 Successful attack could allow attackers to crash application or CPU consumption and to cause denial of service. Telerik : CVE-2015-2264, CVE-2014-4958, CVE-2014-2217 Local users can gain privileges, XSS vulnerability. ComponentOne : CVE-2012-0227, CVE-2008-4827, CVE-2008-4132, CVE-2007-6028 Buffer Overflow, denial of service. MongoDB : 8 vulnerabilities ! MySQL : 244 vulnerabilities !!!! Why Securing Libraries or Dependencies ? 13 | Examples from existing solutions 80% of your applications …are open source * Data based on maven central repository, by Sonatype 80% 20% open source Custom
©2017 Avanade Inc. All Rights Reserved. How is my repository security ? 8 years later, vulnerable versions of Bouncy Castle were downloaded… 5.7M times CVE-2007-6721 CVSS Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 2007 2015 Castles (and Things) are Lurking…
©2017 Avanade Inc. All Rights Reserved. Visualization of open source dependencies Hundreds of thousands of open source suppliers and millions of components
©2017 Avanade Inc. All Rights Reserved. 16 Dependency Graph Example
©2017 Avanade Inc. All Rights Reserved. 17 • Your own code is vulnerable • Two methods: 1. SAST: Static Application Security Testing: source analysis 2. DAST: Dynamic Application Security Testing : running application analysis • Use the right tool for the right job • The sooner the better • Main objective: to avoid a long security review before deployment (Time To Market) Packages are secured, what’s next?
©2017 Avanade Inc. All Rights Reserved. Rugged Triangle DAST SAST Rugged Devops SCA  DAST: Dynamic Application Security Testing  SAST: Static Application Security Testing  SCA: Software Component Analysis
©2017 Avanade Inc. All Rights Reserved. Secure continuous software delivery Packages Code source Build Analyze Compliance KO Developers Check Compliance to policies Detect vulnerabilities
Monitoring opensource code with WhiteSource @ALMRangers Michel Perfetti
©2017 Avanade Inc. All Rights Reserved. 21 Who are we? We are a group of around 100 part-time volunteer engineers and 2 full-time Ranger PMs, scattered across the globe. Mission The Visual Studio ALM Rangers provide professional guidance, practical experience and gap- filling solutions to the developer community. What do we do? We are focused primarily on the delivery of out-of-band tooling and practical guidance to remove adoption blockers in real world environments. Microsoft ALM Rangers
©2017 Avanade Inc. All Rights Reserved. 22 • The ALM Rangers create VSTS/TFS Extensions • A VSTS/TFS Extensions • Is written in Javascript • Runs on the cloud or on your server • Accesses your data with your credentials • Uses open source javascript libraries to work • What we don’t want: • Add a backdoor to your data with our code • Developpers avoid using our extensions because they are not secure Context
©2017 Avanade Inc. All Rights Reserved. 23 • Security • Detect vulnerability • Provide actions to fix • License Compliance management • Inventory • Integration • Bug tracking Whitesource
©2017 Avanade Inc. All Rights Reserved. 24 • 21 products • 31 different OSS licences • We reject explicitly some licences (like GPL) • Throught whitesource policy • 1600 open source libraries • Folder management: 0 OSS according the team: 458 OSS libraries • Countdown widget: 5 OSS according the team: 693 OSS libraries Current status
©2017 Avanade Inc. All Rights Reserved. The countdown widget Demo 25
Hands On
©2017 Avanade Inc. All Rights Reserved. Dependencies Analysis with Lifecycle Démo - Guillaume Oudill
©2017 Avanade Inc. All Rights Reserved. Secure continuous software delivery Packages Code source Build Analyze Compliance KO Developers Check Compliance to policies Detect vulnerabilities
©2017 Avanade Inc. All Rights Reserved. Code analysis with Checkmarx Démo - Pierre-Henri Gache
©2017 Avanade Inc. All Rights Reserved. Secure continuous software delivery Packages Code source Build Analyze Compliance KO Developers Check Compliance to policies Detect vulnerabilities
Faux positifs Pierre-Henri Gache
©2017 Avanade Inc. All Rights Reserved. 32 On retrouve deux types de faux positifs : 1. Un résultat d’analyse qui se révèle ne pas être une vulnérabilité 2. Une vulnérabilité partiellement exploitable Qu’est ce qu’un faux positif ?
©2017 Avanade Inc. All Rights Reserved. 33 Pas de “recette miracle” : il faut parcourir chaque résultat Pour chacun il faut analyser son origine et la pertinence de l’analyse Analyser les résultats
©2017 Avanade Inc. All Rights Reserved. Entrée utilisateur Vulnérabilité Sortie écran / BDD 34 Qualifier une vulnérabilité
©2017 Avanade Inc. All Rights Reserved. ALM Team Dev Security Ops 35 Un travail d’équipe L’équipe ALM maintient les outils et est le relais de la sécurité L’équipe sécurité valide les faux positifs Les développeurs fournissent les information nécessaires à la qualification de la vulnérabilité Les Ops sont en support pour les pentests
©2017 Avanade Inc. All Rights Reserved. The web application uses the wrong kind of encoding to protect against Cross-Site Scripting (XSS), specifically using standard HTML encoding, HtmlEncode at srcOrchard.WebModulesOrchard.ContentPickerViewsEditorTemplatesParts.ContentMenuItem.E dit.cshtml:1, to output JavaScript. Premier exemple 36
©2017 Avanade Inc. All Rights Reserved. Second exemple 37
©2017 Avanade Inc. All Rights Reserved. 38 On retrouve peu de faux positifs dans le résultat des analyses. La complexité est ailleurs : • Comprendre et qualifier les vulnérabilités • Déterminer le niveau de criticité • Mettre en place un plan de remédiation Les faux positifs : un vrai problème ?
©2017 Avanade Inc. All Rights Reserved. • Comparaison du résultat des outils avec ceux des pentests • Mise à jour de règles pour prendre en compte ces différences • Répéter ce processus après chaque pentest Dev Analyse DéploiementPentests Correctifs 39 Faux négatifs & Pentests
Road to DevSecOps? Sophie TONNOIR Georges RODRIGUES
©2017 Avanade Inc. All Rights Reserved. Securing the application : How to industrialize and automate? Application security is often considered a last challenge to go through (or around) before going into production …
©2017 Avanade Inc. All Rights Reserved. Secure continuous software delivery Packages Code source Build Analyze Compliance KO Developers Check Compliance to policies Detect vulnerabilities
©2017 Avanade Inc. All Rights Reserved. What is DevSecOps ? The purpose and intent of DevSecOps is to build on the mindset that "everyone is responsible for security" with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required. The Rugged Manifesto ...I recognize that software has become a foundation of our modern world. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. http://www.ruggedsoftware.org/ http://www.devsecops.org/
Questions ?
Merci! Pierre-Henri Gache @phgache http://www.pierrehe nrigache.com Michel Perfetti @Miiitch http://www.buildme imfamous.net Georges Rodrigues Sophie Tonnoir @sophietonnoir Guillaume Oudill @guillaumeoudill http://guillaumeoud illblog.wordpress.co m
©2017 Avanade Inc. All Rights Reserved.©2017 Avanade Inc. All Rights Reserved.

Recommended

Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOpJames Wickett
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 

Recommended

Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Release Your Inner DevSecOp
Release Your Inner DevSecOpRelease Your Inner DevSecOp
Release Your Inner DevSecOpJames Wickett
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pjSébastien GIORIA
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Deborah Schalm
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
 
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsHow Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsAndrew Storms
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Synopsys Software Integrity Group
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Building Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouBuilding Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouSBWebinars
 

More Related Content

What's hot

The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Deborah Schalm
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
 
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsHow Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsAndrew Storms
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresPriyanka Aash
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 

What's hot (20)

The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
 
Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsHow Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOps
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real World
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec Teams
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 

Similar to Découvrez le Rugged DevOps

Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Building Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouBuilding Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouSBWebinars
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg Tunde Ogunkoya
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisLewis Ardern
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeRogue Wave Software
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Don’t WannaCry? Here’s How to Stop Those Ransomware Blues
Don’t WannaCry? Here’s How to Stop Those Ransomware BluesDon’t WannaCry? Here’s How to Stop Those Ransomware Blues
Don’t WannaCry? Here’s How to Stop Those Ransomware BluesSynopsys Software Integrity Group
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksSAP Customer Experience
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program DevOps.com
 
Tales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformationTales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformationLee Eason
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
OWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes WayOWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes WayJimmy Mesta
 

Similar to Découvrez le Rugged DevOps (20)

Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Building Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouBuilding Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for You
 
Speed and security for your PHP application
Speed and security for your PHP applicationSpeed and security for your PHP application
Speed and security for your PHP application
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
 
Ongoing management of your PHP 7 application
Ongoing management of your PHP 7 applicationOngoing management of your PHP 7 application
Ongoing management of your PHP 7 application
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Don’t WannaCry? Here’s How to Stop Those Ransomware Blues
Don’t WannaCry? Here’s How to Stop Those Ransomware BluesDon’t WannaCry? Here’s How to Stop Those Ransomware Blues
Don’t WannaCry? Here’s How to Stop Those Ransomware Blues
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Tales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformationTales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformation
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
OWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes WayOWASP Bay Area Meetup - DevSecOps the Kubernetes Way
OWASP Bay Area Meetup - DevSecOps the Kubernetes Way
 

Recently uploaded

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Recently uploaded (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

Découvrez le Rugged DevOps

  • 1. ©2017 Avanade Inc. All Rights Reserved.©2017 Avanade Inc. All Rights Reserved.
  • 2. A road to DevSecOps : Rugged DevOps Pierre-Henri Gache Guillaume Oudill Michel Perfetti Georges Rodrigues Sophie Tonnoir
  • 3. Avanade GALLIA TC Security
  • 4. ©2017 Avanade Inc. All Rights Reserved. Security… a challenge to enable Digital & Cloud With Cloud and Digital initiatives at the heart of today’s IT landscape, new risks and threats bring an evolution in the way security must be addressed. • How to facilitate users’ experience and protect my IT assets? • How can I prevent threats of data loss, data leakage or misusage ? • Does it meet Industry & Regulation Compliance criteria (PCI DSS, SOX, Solvency, GDPR) ? • Can we monitor Access Control (Identities, mobility, APIs, CSPs) ? • How can I protect my most valuable asset: the information/data? • … Protecting Information Cloud Many concerns & questions Digital Securing Application & Infrastructure Managing Identity & Access Avanade answers Aim Securing Endpoint
  • 5. ©2017 Avanade Inc. All Rights Reserved. • Because security is at the heart of today’s IT revolution, we aim at combining best of both world to provide our customer the best experience in securing their IT infrastructure. We provide the ability to carry out business-driven initiatives while addressing security as a business enabler at the users, infrastructure and applications level. In a nutshell Workforce & experience • Security expertise in Identity & Access Management, Infrastructure Security and Data Protection • Certified consultants on security solutions Various technologies Security domains • Authentication, SSO and cloud enablement • AD & O365 Security • DevSecOps • Privileged Accounts • Identity Governance • CASBs Our engagements  Consulting  Transformation ( Design / Build )  Managed Services (Run)  Fixed Price and T&M  Buy&resell • More than 29 000 collaborators • 800+ customers worldwide • 70+ locations in 23 countries • 95% Customer Sat rating
  • 6. Avanade GALLIA TC Agile & DevOps coaching
  • 7. ©2017 Avanade Inc. All Rights Reserved. talentagile.com
  • 9. ©2017 Avanade Inc. All Rights Reserved. Software is eating up the world
  • 10. ©2017 Avanade Inc. All Rights Reserved. AppSec 2015-2017 Attacks increased 25% US Office of Personnel Management 19,7 Tesco Bank 40,00 0 accounts Vodafone 200 0 customer Carphone Warehouse 2,5 M customer Charlie Hebdo 19,0 00 website s Russian Cyber Attack On France Electi
  • 11. ©2017 Avanade Inc. All Rights Reserved. Software Design : how much of my software is actually mine? 80% 20% open source Custom 80% of your applications …are open source * Data based on maven central repository, by Sonatype
  • 12. ©2017 Avanade Inc. All Rights Reserved. Microsoft is changing Microsoft is embracing the open source!
  • 13. ©2017 Avanade Inc. All Rights Reserved. Did you know using the following tools makes your code vulnerable ? Those are just few examples, different versions could generate even worth… EntLib 4.1 : CVE-2009-3275, CVE-2015-2264 Successful attack could allow attackers to crash application or CPU consumption and to cause denial of service. Telerik : CVE-2015-2264, CVE-2014-4958, CVE-2014-2217 Local users can gain privileges, XSS vulnerability. ComponentOne : CVE-2012-0227, CVE-2008-4827, CVE-2008-4132, CVE-2007-6028 Buffer Overflow, denial of service. MongoDB : 8 vulnerabilities ! MySQL : 244 vulnerabilities !!!! Why Securing Libraries or Dependencies ? 13 | Examples from existing solutions 80% of your applications …are open source * Data based on maven central repository, by Sonatype 80% 20% open source Custom
  • 14. ©2017 Avanade Inc. All Rights Reserved. How is my repository security ? 8 years later, vulnerable versions of Bouncy Castle were downloaded… 5.7M times CVE-2007-6721 CVSS Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 2007 2015 Castles (and Things) are Lurking…
  • 15. ©2017 Avanade Inc. All Rights Reserved. Visualization of open source dependencies Hundreds of thousands of open source suppliers and millions of components
  • 16. ©2017 Avanade Inc. All Rights Reserved. 16 Dependency Graph Example
  • 17. ©2017 Avanade Inc. All Rights Reserved. 17 • Your own code is vulnerable • Two methods: 1. SAST: Static Application Security Testing: source analysis 2. DAST: Dynamic Application Security Testing : running application analysis • Use the right tool for the right job • The sooner the better • Main objective: to avoid a long security review before deployment (Time To Market) Packages are secured, what’s next?
  • 18. ©2017 Avanade Inc. All Rights Reserved. Rugged Triangle DAST SAST Rugged Devops SCA  DAST: Dynamic Application Security Testing  SAST: Static Application Security Testing  SCA: Software Component Analysis
  • 19. ©2017 Avanade Inc. All Rights Reserved. Secure continuous software delivery Packages Code source Build Analyze Compliance KO Developers Check Compliance to policies Detect vulnerabilities
  • 20. Monitoring opensource code with WhiteSource @ALMRangers Michel Perfetti
  • 21. ©2017 Avanade Inc. All Rights Reserved. 21 Who are we? We are a group of around 100 part-time volunteer engineers and 2 full-time Ranger PMs, scattered across the globe. Mission The Visual Studio ALM Rangers provide professional guidance, practical experience and gap- filling solutions to the developer community. What do we do? We are focused primarily on the delivery of out-of-band tooling and practical guidance to remove adoption blockers in real world environments. Microsoft ALM Rangers
  • 22. ©2017 Avanade Inc. All Rights Reserved. 22 • The ALM Rangers create VSTS/TFS Extensions • A VSTS/TFS Extensions • Is written in Javascript • Runs on the cloud or on your server • Accesses your data with your credentials • Uses open source javascript libraries to work • What we don’t want: • Add a backdoor to your data with our code • Developpers avoid using our extensions because they are not secure Context
  • 23. ©2017 Avanade Inc. All Rights Reserved. 23 • Security • Detect vulnerability • Provide actions to fix • License Compliance management • Inventory • Integration • Bug tracking Whitesource
  • 24. ©2017 Avanade Inc. All Rights Reserved. 24 • 21 products • 31 different OSS licences • We reject explicitly some licences (like GPL) • Throught whitesource policy • 1600 open source libraries • Folder management: 0 OSS according the team: 458 OSS libraries • Countdown widget: 5 OSS according the team: 693 OSS libraries Current status
  • 25. ©2017 Avanade Inc. All Rights Reserved. The countdown widget Demo 25
  • 27. ©2017 Avanade Inc. All Rights Reserved. Dependencies Analysis with Lifecycle Démo - Guillaume Oudill
  • 28. ©2017 Avanade Inc. All Rights Reserved. Secure continuous software delivery Packages Code source Build Analyze Compliance KO Developers Check Compliance to policies Detect vulnerabilities
  • 29. ©2017 Avanade Inc. All Rights Reserved. Code analysis with Checkmarx Démo - Pierre-Henri Gache
  • 30. ©2017 Avanade Inc. All Rights Reserved. Secure continuous software delivery Packages Code source Build Analyze Compliance KO Developers Check Compliance to policies Detect vulnerabilities
  • 32. ©2017 Avanade Inc. All Rights Reserved. 32 On retrouve deux types de faux positifs : 1. Un résultat d’analyse qui se révèle ne pas être une vulnérabilité 2. Une vulnérabilité partiellement exploitable Qu’est ce qu’un faux positif ?
  • 33. ©2017 Avanade Inc. All Rights Reserved. 33 Pas de “recette miracle” : il faut parcourir chaque résultat Pour chacun il faut analyser son origine et la pertinence de l’analyse Analyser les résultats
  • 34. ©2017 Avanade Inc. All Rights Reserved. Entrée utilisateur Vulnérabilité Sortie écran / BDD 34 Qualifier une vulnérabilité
  • 35. ©2017 Avanade Inc. All Rights Reserved. ALM Team Dev Security Ops 35 Un travail d’équipe L’équipe ALM maintient les outils et est le relais de la sécurité L’équipe sécurité valide les faux positifs Les développeurs fournissent les information nécessaires à la qualification de la vulnérabilité Les Ops sont en support pour les pentests
  • 36. ©2017 Avanade Inc. All Rights Reserved. The web application uses the wrong kind of encoding to protect against Cross-Site Scripting (XSS), specifically using standard HTML encoding, HtmlEncode at srcOrchard.WebModulesOrchard.ContentPickerViewsEditorTemplatesParts.ContentMenuItem.E dit.cshtml:1, to output JavaScript. Premier exemple 36
  • 37. ©2017 Avanade Inc. All Rights Reserved. Second exemple 37
  • 38. ©2017 Avanade Inc. All Rights Reserved. 38 On retrouve peu de faux positifs dans le résultat des analyses. La complexité est ailleurs : • Comprendre et qualifier les vulnérabilités • Déterminer le niveau de criticité • Mettre en place un plan de remédiation Les faux positifs : un vrai problème ?
  • 39. ©2017 Avanade Inc. All Rights Reserved. • Comparaison du résultat des outils avec ceux des pentests • Mise à jour de règles pour prendre en compte ces différences • Répéter ce processus après chaque pentest Dev Analyse DéploiementPentests Correctifs 39 Faux négatifs & Pentests
  • 40. Road to DevSecOps? Sophie TONNOIR Georges RODRIGUES
  • 41. ©2017 Avanade Inc. All Rights Reserved. Securing the application : How to industrialize and automate? Application security is often considered a last challenge to go through (or around) before going into production …
  • 42. ©2017 Avanade Inc. All Rights Reserved. Secure continuous software delivery Packages Code source Build Analyze Compliance KO Developers Check Compliance to policies Detect vulnerabilities
  • 43. ©2017 Avanade Inc. All Rights Reserved. What is DevSecOps ? The purpose and intent of DevSecOps is to build on the mindset that "everyone is responsible for security" with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required. The Rugged Manifesto ...I recognize that software has become a foundation of our modern world. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. http://www.ruggedsoftware.org/ http://www.devsecops.org/
  • 45. Merci! Pierre-Henri Gache @phgache http://www.pierrehe nrigache.com Michel Perfetti @Miiitch http://www.buildme imfamous.net Georges Rodrigues Sophie Tonnoir @sophietonnoir Guillaume Oudill @guillaumeoudill http://guillaumeoud illblog.wordpress.co m
  • 46. ©2017 Avanade Inc. All Rights Reserved.©2017 Avanade Inc. All Rights Reserved.

Editor's Notes

  1. Qui est familier du devops? Question à l’auditoire
  2. Dans vos lampes Dans vos maisons, Dans votre electroménager Dans l’administration Il y a du software pour tout avec l’explosion de l’IOT, machine learning, IA…
  3. attacks on the application layer are growing by more than 25 percent annually (Akamai Q3 2015 State of the Internet - Security Report). US Office of Personnel Management This breach was one of the biggest ever of US government systems. Although not proved, the attack was believed to be perpetrated by Chinese hackers. The data theft consisted of stealing addresses, health and financial details of 19.7 million people who had been subjected to government background checks as well as 1.8 million others. Carphone Warehouse One of the biggest breaches in the UK this year was when the details of almost 2.5 million customers was stolen  http://www.information-age.com/top-10-most-devastating-cyber-hacks-2015-123460657/ http://www.welivesecurity.com/2016/12/30/biggest-security-incidents-2016/ http://www.cbsnews.com/news/france-hit-by-19000-cyber-attacks-after-charlie-hebdo-terror-attacks/ http://en.rfi.fr/europe/20170219-french-fm-ayrault-accuses-russia-election-cyberattacks
  4. Il y avait moins d’open source il y a 10 ans,
  5. Microsoft on github by business insider http://uk.businessinsider.com/microsoft-github-open-source-2016-9?r=US&IR=T Microsoft today counts on open source developers to feed azure with applications. Nadella in 2014 said, "Microsoft loves Linux". http://www.infoworld.com/article/3042699/open-source-tools/microsoft-loves-open-source-only-when-its-convenient.html http://www.zdnet.com/article/why-microsoft-is-turning-into-an-open-source-company/ Ex : Xamarin for Visual Studio free and opensource
  6. Failles sans que les dev ne le sachent, on introduit des failles de sécu sans le savoir Entlib is a collection of reusable software components designed to assist software developers (such as logging, validation, data access). Application blocks are provided source code, test cases and documentation. Telerik : UI frameworks and app development tools ComponentOne Studio provides enterprise application developers with innovative UI and data management controls for all major platforms.
  7. Bounty castle is a cryptography Exemple de repository avec des failles découvertes en 2007 et pourtant encore téléchargé en 2015
  8. Visualization of maven central, those organic looking dust mites represent components and their dependencies to other components. Qu’utilisez-vous comme dependances ? Maitrisez-vous bien votre code open source ? Cb de dépendances avez-vous ? On connait juste le haut du paquet Dépendances non connues rajoutées par les IDE (utilisées ?)
  9. SAST: Static Application Security Testing DAST: Dynamic Application Security Testing SCA: Software component analysis DAST teste une application Web en cours d'exécution (les requêtes et les réponses) selon des techniques similaires à celles utilisées par un pirate informatique. SAST examine le code source d'une application afin de détecter les vulnérabilités potentielles. SCA  Open source components Checkmarx  SAST et SCA Sonatype  SCA Exemple DAST : acunetix, IBM, HPE, PortSwigger
  10. More test, more checks, more visibility to each key player Parler ROI,TTM,CDepl.
  11. https://blogs.msdn.microsoft.com/visualstudioalmrangers/2017/01/17/manage-your-open-source-usage-and-security-in-your-pipeline/
  12. https://blogs.msdn.microsoft.com/visualstudioalmrangers/2017/06/08/manage-your-open-source-usage-and-security-as-reported-by-your-cicd-pipeline/
  13. More test, more checks, more visibility to each key player Parler ROI,TTM,CDepl.
  14. More test, more checks, more visibility to each key player Parler ROI,TTM,CDepl.
  15. For a developer : security officers are simply always standing in the way, they force rather tiring procedures (pen testing, waf, code audit) right before production which usually creates change requests that adds time and money to an almost done project. HP published a paper that says while devops should theoretically improve the security it does the opposite. From their point of view it failed to improve security http://www.computerweekly.com/news/450401645/DevOps-largely-failing-to-improve-security-study-shows
  16. More test, more checks, more visibility to each key player
  17. http://www.devsecops.org/ http://www.ruggedsoftware.org/
  18. Guillaume Oudill @guillaumeoudill guillaumeoudillblog.wordpress.com