SlideShare uma empresa Scribd logo

DevSecOps Basics with Azure Pipelines

A
Abdul_Mujeeb

DevSecOps basics with Azure Pipelines.

Tecnologia
1 de 14
Baixar para ler offline
DevSecOps Using Azure Pipelines for Continuous CI CD and Security Mohammed Abdul Mujeeb
Agenda • What is DevOps • DevOps using Azure Pipelines • What is DevSecOps • Why do we need DevSecOps • Demo - DevSecOps using Azure Pipelines
Build Cycle
DevOps • A compound of development (Dev) and operations (Ops), DevOps is the union of people, process, and technology to continually provide value to customers - Microsoft Definition • Any thing that speeds application delivery - Simplified • Automation plays an important role in speeding application delivery
Azure DevOps • Set of tools to achieve DevOps • 5 Modules - Boards, Repos, Pipelines, Test Plan, Artifacts • Azure Pipelines - CI and CD tool
Terminologies • Continuous Integration (CI) - Automated building of code • Continuous Delivery (CD) - Deployment ready, but not all changes will be deployed to production • Continuous Deployment (CD) - Automated deployment to production
Demo Architecture
Demo - Basic DevOps Process 1. Developer makes changes in IDE (VSCode) 2. Developer pushes the code to GIT 3. The push triggers automated build (CI) using Azure pipelines 4. The CI pulls latest source code, builds docker image and pushes docker image to Azure Container Registry (ACR) 5. Successful deployment to ACR triggers CD via Releases 6. The Release Pipeline deploys code to the App Service
Basic DevSecOps Process • Design - Threat Modeling and Risk Assessment • Development - SAST Scan on IDE, Code Reviews • Continuous Integration (CI) - Security Unit Tests, Static Application Security testing, Open Source Analysis, Container Scanning • Continuous Delivery (CD) - Compliance Check, Dynamic Application Security Scanning, Infrastructure Security, Penetration testing • Continuous Deployment (CD) - Compliance Check, Runtime Defense • Security in Production - Monitoring, SSL Configuration,
Challenges • Security as an after thought • Quick software release cycles • Moving workloads to cloud • Organizational Culture
DevSecOps • Shift Security Left • Integrates security with DevOps without slowing down SDLC • Automates Security within the DevOps Workflow • Secure Continuous Development • Is not just about using bunch of security tools. It’s about people, process and tools
DevSecOps for Business • An organization developing software in-house • An organization outsourcing software development • An organization procuring software from a vendor
Tools of the trade • Threat Modeling - Microsoft Threat Modeling .. • SAST Scan - Checkmarx, SonarCloud, Open Source .. • OSA - Whitesource, BlackDuck, OWASP Dependency Check .. • Container Scan - Aqua, Twistlock, Anchore, Clair .. • DAST Scan - OWASP ZAP, TinFoil .. • Many other tools based on the requirement • Prefer open source tools to start
Demo Secure CI and CD using Azure Pipelines Steps - 1. SAST scan using SonarCloud 2. Open Source Scan scan using Whitesource Bolt 3. Container Scan using Anchore 4. DAST Scan using OWASP Zap 5. Compliance Scan on the cloud infrastructure

Recomendados

DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 

Recomendados

DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Securityn|u - The Open Security Community
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
DevOps - A Gentle Introduction
DevOps - A Gentle IntroductionDevOps - A Gentle Introduction
DevOps - A Gentle IntroductionCodeOps Technologies LLP
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Power of Azure Devops
Power of Azure DevopsPower of Azure Devops
Power of Azure DevopsAzure Riyadh User Group
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
DevSecOps on Azure
DevSecOps on AzureDevSecOps on Azure
DevSecOps on AzureSeven Peaks Speaks
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...Edureka!
 
DevOps Best Practices
DevOps Best PracticesDevOps Best Practices
DevOps Best PracticesGiragadurai Vallirajan
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsTomas Honzak
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous IntegrationStephen de Vries
 

Mais conteúdo relacionado

Mais procurados

DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...Edureka!
 

Mais procurados (20)

DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
DevOps - A Gentle Introduction
DevOps - A Gentle IntroductionDevOps - A Gentle Introduction
DevOps - A Gentle Introduction
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Power of Azure Devops
Power of Azure DevopsPower of Azure Devops
Power of Azure Devops
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
DevSecOps on Azure
DevSecOps on AzureDevSecOps on Azure
DevSecOps on Azure
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
 
DevOps Best Practices
DevOps Best PracticesDevOps Best Practices
DevOps Best Practices
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 

Semelhante a DevSecOps Basics with Azure Pipelines

Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous IntegrationStephen de Vries
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabadkunwaratul hax0r
 
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程Duran Hsieh
 
DevOps_service.pptx
DevOps_service.pptxDevOps_service.pptx
DevOps_service.pptxphamvinhcntt
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
DevOps-as-a-Service: Towards Automating the Automation
DevOps-as-a-Service: Towards Automating the AutomationDevOps-as-a-Service: Towards Automating the Automation
DevOps-as-a-Service: Towards Automating the AutomationKeith Pleas
 
The Road to DevOps V3
The Road to DevOps V3The Road to DevOps V3
The Road to DevOps V3Ahmed Misbah
 
Agile, DevOps & Test
Agile, DevOps & TestAgile, DevOps & Test
Agile, DevOps & TestQualitest
 
Continuous Integration for OpenVMS with Jenkins
Continuous Integration for OpenVMS with JenkinsContinuous Integration for OpenVMS with Jenkins
Continuous Integration for OpenVMS with Jenkinsecubemarketing
 
SanDiego_DevOps_Meetup_9212016
SanDiego_DevOps_Meetup_9212016SanDiego_DevOps_Meetup_9212016
SanDiego_DevOps_Meetup_9212016w2fong
 
Continuous Deployment with Containers
Continuous Deployment with ContainersContinuous Deployment with Containers
Continuous Deployment with ContainersDavid Papp
 
SanDiego_DevOps_Meetup_9212016-v8
SanDiego_DevOps_Meetup_9212016-v8SanDiego_DevOps_Meetup_9212016-v8
SanDiego_DevOps_Meetup_9212016-v8Rajwinder Singh
 
DevOps for AI Apps
DevOps for AI AppsDevOps for AI Apps
DevOps for AI AppsRichin Jain
 

Semelhante a DevSecOps Basics with Azure Pipelines (20)

Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
 
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
 
DevOps_service.pptx
DevOps_service.pptxDevOps_service.pptx
DevOps_service.pptx
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
DevOps-as-a-Service: Towards Automating the Automation
DevOps-as-a-Service: Towards Automating the AutomationDevOps-as-a-Service: Towards Automating the Automation
DevOps-as-a-Service: Towards Automating the Automation
 
DevOps intro
DevOps introDevOps intro
DevOps intro
 
The Road to DevOps V3
The Road to DevOps V3The Road to DevOps V3
The Road to DevOps V3
 
DevOps
DevOpsDevOps
DevOps
 
Devops architecture
Devops architectureDevops architecture
Devops architecture
 
Agile, DevOps & Test
Agile, DevOps & TestAgile, DevOps & Test
Agile, DevOps & Test
 
Continuous Integration for OpenVMS with Jenkins
Continuous Integration for OpenVMS with JenkinsContinuous Integration for OpenVMS with Jenkins
Continuous Integration for OpenVMS with Jenkins
 
SanDiego_DevOps_Meetup_9212016
SanDiego_DevOps_Meetup_9212016SanDiego_DevOps_Meetup_9212016
SanDiego_DevOps_Meetup_9212016
 
DevOps
DevOpsDevOps
DevOps
 
Continuous Deployment with Containers
Continuous Deployment with ContainersContinuous Deployment with Containers
Continuous Deployment with Containers
 
SanDiego_DevOps_Meetup_9212016-v8
SanDiego_DevOps_Meetup_9212016-v8SanDiego_DevOps_Meetup_9212016-v8
SanDiego_DevOps_Meetup_9212016-v8
 
DevOps for AI Apps
DevOps for AI AppsDevOps for AI Apps
DevOps for AI Apps
 
Devops
DevopsDevops
Devops
 

Último

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

DevSecOps Basics with Azure Pipelines

  • 1. DevSecOps Using Azure Pipelines for Continuous CI CD and Security Mohammed Abdul Mujeeb
  • 2. Agenda • What is DevOps • DevOps using Azure Pipelines • What is DevSecOps • Why do we need DevSecOps • Demo - DevSecOps using Azure Pipelines
  • 4. DevOps • A compound of development (Dev) and operations (Ops), DevOps is the union of people, process, and technology to continually provide value to customers - Microsoft Definition • Any thing that speeds application delivery - Simplified • Automation plays an important role in speeding application delivery
  • 5. Azure DevOps • Set of tools to achieve DevOps • 5 Modules - Boards, Repos, Pipelines, Test Plan, Artifacts • Azure Pipelines - CI and CD tool
  • 6. Terminologies • Continuous Integration (CI) - Automated building of code • Continuous Delivery (CD) - Deployment ready, but not all changes will be deployed to production • Continuous Deployment (CD) - Automated deployment to production
  • 8. Demo - Basic DevOps Process 1. Developer makes changes in IDE (VSCode) 2. Developer pushes the code to GIT 3. The push triggers automated build (CI) using Azure pipelines 4. The CI pulls latest source code, builds docker image and pushes docker image to Azure Container Registry (ACR) 5. Successful deployment to ACR triggers CD via Releases 6. The Release Pipeline deploys code to the App Service
  • 9. Basic DevSecOps Process • Design - Threat Modeling and Risk Assessment • Development - SAST Scan on IDE, Code Reviews • Continuous Integration (CI) - Security Unit Tests, Static Application Security testing, Open Source Analysis, Container Scanning • Continuous Delivery (CD) - Compliance Check, Dynamic Application Security Scanning, Infrastructure Security, Penetration testing • Continuous Deployment (CD) - Compliance Check, Runtime Defense • Security in Production - Monitoring, SSL Configuration,
  • 10. Challenges • Security as an after thought • Quick software release cycles • Moving workloads to cloud • Organizational Culture
  • 11. DevSecOps • Shift Security Left • Integrates security with DevOps without slowing down SDLC • Automates Security within the DevOps Workflow • Secure Continuous Development • Is not just about using bunch of security tools. It’s about people, process and tools
  • 12. DevSecOps for Business • An organization developing software in-house • An organization outsourcing software development • An organization procuring software from a vendor
  • 13. Tools of the trade • Threat Modeling - Microsoft Threat Modeling .. • SAST Scan - Checkmarx, SonarCloud, Open Source .. • OSA - Whitesource, BlackDuck, OWASP Dependency Check .. • Container Scan - Aqua, Twistlock, Anchore, Clair .. • DAST Scan - OWASP ZAP, TinFoil .. • Many other tools based on the requirement • Prefer open source tools to start
  • 14. Demo Secure CI and CD using Azure Pipelines Steps - 1. SAST scan using SonarCloud 2. Open Source Scan scan using Whitesource Bolt 3. Container Scan using Anchore 4. DAST Scan using OWASP Zap 5. Compliance Scan on the cloud infrastructure