Here I have shared a basic introduction about DevOps and DevSecOps. What approach a organization should follow, benefits of CI/CD Pipelines etc.

2. Introduction to
DevSecOps
Kunwar Atul (@kunwaratulhax0r)

3. root@whoami
• Kunwar Atul
• Yet another Appsec and DevSecOps Guy
• Break – Fix – Repeat
• Part time Bug Hunter
• Synack Red Team Member
• OWASP MASVS Hindi Contributor (Ongoing
Project)
• DevSecOps University Contributor
• I Love Knowing What’s Going On (emerging vulns,
tools, PoC), CTFs, Offensive Security Work, Cricket,
and no compromise with food and coffee.
• Social media- kunwaratulhax0r

4. What is
DevOps
• DevOps is a software development method
that highlights collaboration and open
communication between teams basically it
reduce the gap between teams.

5. What is DevOps
• DevOps is all about Process.
• DevOps is about Connections.
• DevOps is about Tools.
• DevOps is about Automating Everything.
• Continuous Software Delivery.

6. DevOps Goals
• Automated Provisioning
• No Downtime Deployments
• Monitoring
• Automated Builds and Testing

7. What Happens in DevOps
Automate everything using tools
 Continuous Development
 Continuous Integration
 Continuous Testing
 Continuous Deployment
 Continuous Monitoring

8. Finally
• Great Customer Satisfaction
• Increased Productivity

9. Planning Phase
• In the planning phase all the details related to
current build will be logged in the JIRA and
Yutrack.

10. Development Phase
• For Source Code Management we have GIT and
SVN. These tools will help us in maintaining the
code.

11. Build Phase
• They help you package your code into
executable files which can then be produced into
the testing environment.

12. Testing Phase
• For continuous testing we will use Robotic
Process Automation and some other reusability
code.

13. Release Phase
• For the release phase, automate tools like
bamboo are used in the releasing a build.

14. Deployment Phase
• After the code is tested and ready it will be
deployed into production or the non-developer
machine at this stage.

15. Operation Phase
• In the operation phase everything will be
monitored by using Security Incident and Event
Management (SIEM Tools) for security alerts and
misbehavior of application.

16. Monitor Phase
• In the monitoring phase, continuous feedbacks
will be taken from customers and will be
monitoring them.

17. Challenges
(Without
DevSecOps)

18. Challenges Without DevSecOps
• With the fast pace of development in the Agile world, there is a lack of focus on security during the
development process.
• The quality of the solution is often compromised from a security standpoint
while focusing on feature deliverables during the Agile development lifecycle.
• Further, it costs the organization's reputation when critical vulnerabilities are found in shipped solution(s).
• Customer sensitive data is compromised due to lack of security testing focus.
• A lot of manual effort in order to perform security testing can lead to a delay in uncovering critical
vulnerabilities and, further, may result in either delaying the deliverables or shipping them with unknown
vulnerabilities.

19. What is DevSecOps
Development
SecurityOperations
DevSecOps is a software
development concept or mindset
that aims at unifying development,
operations, and security as a single
process in SDLC.

20. What is DevSecOps
• Security of the CI/CD Pipeline
• Automated IAM roles, Jenkins server hardening, etc.
• Security in the CI/CD Pipeline
• Automated security tests, code analysis etc.
• Security Automation
• Automated Incident Response Remediation, forensics etc.

22. • DevOps = Efficiencies that speed up this lifecycle.
• DevSecOps = Validate building blocks without slowing lifecycle.

23. DevSecOps: How Important is it?
• Agile took us from months to days to deliver software.
• DevOps took us from months to minutes to deploy software.
• More applications are mission critical.
• Now security has become the bottleneck.

24. DevSecOps makes
everyone
responsible for
Security, because
Security is not
one-person job.

25. People: What type of Skills are
Required?
9
2.5 2.5
2.5
2.5
9
2.5
9
2.5
0
2
4
6
8
10
12
14
16
Developer Sysadmin Security Engineer
Skills Chart
Dev Sec Ops

26. Security
Champions

27. The Main Course
• Vulnerability Scans and Assessments
• Threat Modelling
• Secure Code Reviews (Static Code Analysis)
• Penetration Testing
Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore

28. The Gravy
• Educating developers on Secure Coding
• Practices with workshops, talk, lessons
• Secure Coding Standards
• Responsible Disclosures
• Secure Code Library and other reference materials, creating custom tools
Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore

29. The Dessert
• Bug Bounty Programs
• CTF’s
• Red Team Exercises
Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore

31. DevSecOps
Pipeline for
Appsec

32. Best Practices for DevSecOps
• Train development teams to develop secure code.
• Track security issues the same as software issues.
• If infrastructure is now code, then security should be code.
• Integrate security controls in the software pipeline.
• Automate security test in the build process.
• Detect known vulnerabilities during the pipeline.
• Monitor security in the production for known states
• Inject failure to ensure security is hardend.

33. References
1
https://www.slide
share.net/Amazon
WebServices/intro
duction-to-
devsecops
2
https://www.slide
share.net/Sumo_L
ogic/you-build-it-
you-secure-it-
introduction-to-
devsecops
3
https://dzone.com
/articles/devsecop
s-overview
4
https://www.devs
eccon.com/wp-
content/uploads/2
017/07/DevSecOp
s-whitepaper.pdf
5
https://www.slide
share.net/narudo
mr/devsecops-101
6
https://www.slide
share.net/sethukri
shna3/introductio
n-to-devsecops-
107904125
7
https://www.slide
share.net/DevOpsI
ndonesia/the-
state-of-devsecops
8
https://www.slide
share.net/Dragon
Be/devops-or-
devsecops

34. Q/A

35. Thank You
Reach me: @kunwaratulhax0r