3. root@whoami
• Kunwar Atul
• Yet another Appsec and DevSecOps Guy
• Break – Fix – Repeat
• Part time Bug Hunter
• Synack Red Team Member
• OWASP MASVS Hindi Contributor (Ongoing
Project)
• DevSecOps University Contributor
• I Love Knowing What’s Going On (emerging vulns,
tools, PoC), CTFs, Offensive Security Work, Cricket,
and no compromise with food and coffee.
• Social media- kunwaratulhax0r
4. What is
DevOps
• DevOps is a software development method
that highlights collaboration and open
communication between teams basically it
reduce the gap between teams.
5. What is DevOps
• DevOps is all about Process.
• DevOps is about Connections.
• DevOps is about Tools.
• DevOps is about Automating Everything.
• Continuous Software Delivery.
6. DevOps Goals
• Automated Provisioning
• No Downtime Deployments
• Monitoring
• Automated Builds and Testing
7. What Happens in DevOps
Automate everything using tools
Continuous Development
Continuous Integration
Continuous Testing
Continuous Deployment
Continuous Monitoring
9. Planning Phase
• In the planning phase all the details related to
current build will be logged in the JIRA and
Yutrack.
10. Development Phase
• For Source Code Management we have GIT and
SVN. These tools will help us in maintaining the
code.
11. Build Phase
• They help you package your code into
executable files which can then be produced into
the testing environment.
12. Testing Phase
• For continuous testing we will use Robotic
Process Automation and some other reusability
code.
13. Release Phase
• For the release phase, automate tools like
bamboo are used in the releasing a build.
14. Deployment Phase
• After the code is tested and ready it will be
deployed into production or the non-developer
machine at this stage.
15. Operation Phase
• In the operation phase everything will be
monitored by using Security Incident and Event
Management (SIEM Tools) for security alerts and
misbehavior of application.
16. Monitor Phase
• In the monitoring phase, continuous feedbacks
will be taken from customers and will be
monitoring them.
18. Challenges Without DevSecOps
• With the fast pace of development in the Agile world, there is a lack of focus on security during the
development process.
• The quality of the solution is often compromised from a security standpoint
while focusing on feature deliverables during the Agile development lifecycle.
• Further, it costs the organization's reputation when critical vulnerabilities are found in shipped solution(s).
• Customer sensitive data is compromised due to lack of security testing focus.
• A lot of manual effort in order to perform security testing can lead to a delay in uncovering critical
vulnerabilities and, further, may result in either delaying the deliverables or shipping them with unknown
vulnerabilities.
20. What is DevSecOps
• Security of the CI/CD Pipeline
• Automated IAM roles, Jenkins server hardening, etc.
• Security in the CI/CD Pipeline
• Automated security tests, code analysis etc.
• Security Automation
• Automated Incident Response Remediation, forensics etc.
21.
22. • DevOps = Efficiencies that speed up this lifecycle.
• DevSecOps = Validate building blocks without slowing lifecycle.
23. DevSecOps: How Important is it?
• Agile took us from months to days to deliver software.
• DevOps took us from months to minutes to deploy software.
• More applications are mission critical.
• Now security has become the bottleneck.
32. Best Practices for DevSecOps
• Train development teams to develop secure code.
• Track security issues the same as software issues.
• If infrastructure is now code, then security should be code.
• Integrate security controls in the software pipeline.
• Automate security test in the build process.
• Detect known vulnerabilities during the pipeline.
• Monitor security in the production for known states
• Inject failure to ensure security is hardend.