SlideShare uma empresa Scribd logo

DevSecOps : The Open Source Way by Yusuf Hadiwinata

Hananto Wibowo Soenarto
Hananto Wibowo Soenarto

DevOps Indonesia Meetup @Allianz talks about DevSecOps (20180926)

Tecnologia
1 de 62
Baixar para ler offline
PAGE1 DEVOPS INDONESIA DEVOPS INDONESIA Jakarta, 26 September 2018 DevSecOps: The Open Source Way DevOps Community in Indonesia By Yusuf Hadiwinata Sutandar At
PAGE3 DEVOPS INDONESIA DEVOPS INDONESIA HOUSE RULES 100% ATTENTION TAKE NOTES, NOT CALLS RECEIVE KNOWLEDGE, NOT MESSAGES MUTE NOTIFICATIONS FOR SLACK QQ WHATSAPP IMESSAGE EMAIL TELEGRAM SNAPCHAT FACEBOOK WEIBO HANGOUTS VOXER SIGNAL G+ TWITTER VIBER SKYPE WECHAT LINE SMS ...
PAGE4 DEVOPS INDONESIA Let’s get know each otherLet's get know each other
PAGE5 DEVOPS INDONESIA Linux Geek | OpenSource Enthusiast | Security Hobbies Yusuf Hadiwinata Sutandar
PAGE6 DEVOPS INDONESIA Managing risk in a volatile DevOps world
PAGE8 DEVOPS INDONESIA Raise You Hand! Who.. ...has heard of Docker?
PAGE9 DEVOPS INDONESIA ...knows what Docker is?
PAGE10 DEVOPS INDONESIA ...has tried Docker? or ...uses Docker?
PAGE11 DEVOPS INDONESIA ...uses Docker in production? ...with additional tools?
PAGE12 DEVOPS INDONESIA ...or even implement DevSecOps? Or SecDevOps.. DevOpsSec?!! Or maybe SecDevSecOpsSec?
PAGE13 DEVOPS INDONESIA WHY DevSecOps? ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? Are practitioners skipping security? ● DevSecOps practitioners say it’s about how to continuously integrate and automate security at scale ● Goal: ● Protecting private User-data/Company daya ● Restricting access ● Standar Compliance
PAGE14 DEVOPS INDONESIA
PAGE15 DEVOPS INDONESIA
PAGE16 DEVOPS INDONESIA GLASS HALF EMPTY, GLASS HALF FULL “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
PAGE17 DEVOPS INDONESIA Security is seen as an inhibitor to DevOps Security infrastructure has lagged in its ability to become ‘software defined’ and programmable, making it difficult to integrate... Modern applications are largely ‘assembled,’ not developed, and developers often download and use known vulnerable open-source components and frameworks
PAGE18 DEVOPS INDONESIA Applications are ‘assembled’... ...utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Data shows enterprises consumed an average 229,000 software components annually, of which 17,000 had a known security vulnerability
PAGE19 DEVOPS INDONESIA THE PERFECT STORM ● Cloud ● DevOps ● Open Source Software ● innovation explosion ● Containers/Microservices ● Digital transformation
PAGE20 DEVOPS INDONESIA YOU MANAGE RISK BY ● Securing the Assets/Infra ● Securing the Dev ● Securing the Ops ● Securing the APIs
PAGE21 DEVOPS INDONESIA SECURING THE ASSETS ● Building code ● Watching for changes in how things get built ● Signing the builds ● Built assets ● Scripts, binaries, packages (RPMs), containers ● (OCI images), machine images (ISOs, etc.) ● Registries (Service, Container, App) ● Repositories (Local on host images assets)
PAGE22 DEVOPS INDONESIA SECURING THE SOFTWARE ASSETS - E.G. IMAGE REGISTRY ● Public and private registries ● Do you require a private registry? ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? ● Who can push images to the registry?
PAGE23 DEVOPS INDONESIA
PAGE24 DEVOPS INDONESIA SECURING THE ASSETS HEALTH - Security freshness ● Freshness Grade for container security. ● Monitor image registry to automatically replace affected images ● Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment
PAGE25 DEVOPS INDONESIA
PAGE26 DEVOPS INDONESIA SECURING THE DEVELOPMENT PROCESS ● Potentially lots of parallel builds ● Source code ● Where is it coming from? ● Who is it coming from? ● Supply Chain Tooling ● CI tools (e.g. Jenkins) ● Testing tools ● Scanning Tools (e.g. Black Duck, Sonatype)
PAGE28 DEVOPS INDONESIA SECURING THE OPERATIONS ▪ Deployment ▪ Trusted registries and repos ▪ Signature authenticating and authorizing ▪ Image scanning ▪ Policies ▪ Ongoing assessment with automated remediation
PAGE29 DEVOPS INDONESIA SECURING THE OPERATIONS Lifecycle ● Blue Green or A/B or Canary, continuous deployments ● Monitoring deployments ● Possibly multiple environments
PAGE30 DEVOPS INDONESIA Modern Architectures are API driven requiring a DevOps approach to API management, Visibility, routing, and authorization are key security concerns.
PAGE34 DEVOPS INDONESIA Culture
PAGE35 DEVOPS INDONESIA
PAGE36 DEVOPS INDONESIA
PAGE37 DEVOPS INDONESIA
PAGE38 DEVOPS INDONESIA DevOps Life Cycle
PAGE39 DEVOPS INDONESIA
PAGE40 DEVOPS INDONESIA
PAGE41 DEVOPS INDONESIA
PAGE42 DEVOPS INDONESIA
PAGE44 DEVOPS INDONESIA Plan - Thread Modeling Tools OWASP Threat Dragon Project Threat Dragon is a free, open-source threat modeling tool from OWASP. It can be used as a standalone desktop app for Windows and MacOS (Linux coming soon) or as a web application. The desktop app is great if you want to try the application without giving it access to your GitHub repos, but if you choose the online version you get to unleash the awesome power of GitHub on your threat models! Obviously, to do this you need to log in first.. https://github.com/appsecco/owasp-threat-dragon-gitlab
PAGE45 DEVOPS INDONESIA
PAGE46 DEVOPS INDONESIA Docker Host Security Compliance
PAGE47 DEVOPS INDONESIA Security Automation for Containers and VMs with OpenSCAP SCAP is a set of specifications related to security automation. SCAP is used to improve security posture - hardening and finding vulnerabilities—as well as regulatory reasons https://github.com/dstraub/satellite-plugin https://github.com/RedHatSatellite/soe-ci https://servicesblog.redhat.com/2017/06/12/standard-operating-environment-part-iii-a- reference-implementation/
PAGE48 DEVOPS INDONESIA API-aware Networking and Security Cilium brings API-aware network security filtering to Linux container frameworks like Docker and Kubernetes. Using a new Linux kernel technology called BPF, Cilium provides a simple and efficient way to define and enforce both network-layer and application-layer security policies based on container/pod identity.
PAGE49 DEVOPS INDONESIA Secure container-aware credentials storage, trust management. HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a- service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more. https://github.com/jenkinsci/hashicorp-vault-plugin
PAGE50 DEVOPS INDONESIA
PAGE51 DEVOPS INDONESIA Static source-code analysis / static application security testing (SAST) Brakeman - Rails Security Scanner Static analysis security scanner for Ruby on Rail https://jenkins.io/doc/pipeline/steps/brakeman/ https://jenkins.io/blog/2016/08/10/rails-cd-with-pipeline/
PAGE52 DEVOPS INDONESIA Static source-code analysis / static application security testing (SAST) SonarQube is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages https://docs.sonarqube.org/display/SCAN/Analyzing+with+ SonarQube+Scanner+for+Jenkins https://www.owasp.org/index.php/Source_Code_Analysis_ Tools
PAGE53 DEVOPS INDONESIA
PAGE54 DEVOPS INDONESIA Integrate the image scanning into Jenkins pipelines with clairctl Clairctl is a lightweight command-line tool doing the bridge between Registries as Docker Hub, Docker Registry or Quay.io, and the CoreOS vulnerability tracker, Clair. Clairctl will play as reverse proxy for authentication. https://github.com/jgsqware/clairctl Jenkins CI Image Vulnerability Scan https://github.com/protacon/ci-image-vulnerability-scan https://github.com/jgsqware/clairctl Static Application Security Testing (SAST) Clair: The Container Image Security Analyzer Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker). https://github.com/benfab/clair-demo
PAGE55 DEVOPS INDONESIA Dynamic Application Security Testing (DAST) OWASP Zed Attack Proxy Project is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. https://plugins.jenkins.io/zapper https://wiki.jenkins.io/display/JENKINS/Zapper+Plugin https://youtu.be/xMLb7BDdfNo
PAGE56 DEVOPS INDONESIA
PAGE57 DEVOPS INDONESIA Dynamic Application Security Testing (DAST) Free, Simple, Distributed, Intelligent, Powerful, Friendly. Arachni is a feature-full, modular, high- performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications. https://blog.secodis.com/2016/03/17/automated-security-tests- 3-jenkins-arachni-threadfix/ https://wiki.jenkins.io/display/JENKINS/Arachni+Scanner+plugin
PAGE58 DEVOPS INDONESIA
PAGE59 DEVOPS INDONESIA Mobile Application Security Testing (MAST) Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. https://medium.com/@omerlh/how-to-continuously-hacking-your-app-c8b32d1633ad https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/10.-MobSF-CI-CD
PAGE60 DEVOPS INDONESIA
PAGE61 DEVOPS INDONESIA Security Framework Managed Ecosystem for Secure Operations SIMP is an Open Source, fully automated, and extensively tested framework that can either enhance your existing infrastructure or allow you to quickly build one from scratch. Built on the mature Puppet product suite, SIMP is designed around scalability, flexibility, and compliance.
PAGE62 DEVOPS INDONESIA Container Security Framework NIST Special Publication 800-190: Application Container Security Guide Access Control; Configuration Management; System and Communications Protection; System and Information Integrity; Audit and Accountability; Awareness and Training; Identification and Authentication; Incident Response; Risk Assessment; https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf
PAGE63 DEVOPS INDONESIA BRINGING IT ALL TOGETHER
PAGE64 DEVOPS INDONESIA Homework!!
PAGE65 DEVOPS INDONESIA Continues learning DevSecOps concepts OWASP DevSecOps Studio Project DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. Features: ● Easy to setup environment with just one command “vagrant up” ● Teaches Security as Code, Compliance as Code, Infrastructure as Code ● With built-in support for CI/CD pipeline ● OS hardening using ansible ● Compliance as code using Inspec ● QA security using ZAP, BDD-Security and Gauntlt ● Static tools like bandit, brakeman, windbags, gitrob, gitsecrets ● Security Monitoring using ELK stack.
PAGE66 DEVOPS INDONESIA ● Git server to store code and infrastructure (as code). ● CI/CD pipeline to embed security as part CI/CD like SAST, DAST, hardening, compliance etc., ● Add Security tools as jobs. ● Analyze and fix the issues found. https://github.com/teacheraio/DevSecOps-Studio/wiki
PAGE67 DEVOPS INDONESIA Stay Connected linkedin.com/in/yusufhadiwinata/ https://www.meetup.com/Docker-Indonesia/ facebook.com/yusuf.hadiwinata @IDDevOps
PAGE68 DEVOPS INDONESIA Are You Awesome? We are Hiring !
PAGE69 DEVOPS INDONESIA Alone We are smart, together We are brilliant THANK YOU ! Quote by Steve

Recomendados

How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOpsFelicia Haggarty
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to meMichelle Ribeiro
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 

Recomendados

How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOps8 Tips for Deploying DevSecOps
8 Tips for Deploying DevSecOpsFelicia Haggarty
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to meMichelle Ribeiro
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASPPriyanka Raghavan
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemWhiteSource
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017Suman Sourav
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayYusuf Hadiwinata Sutandar
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 

Mais conteúdo relacionado

Mais procurados

10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemWhiteSource
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017Suman Sourav
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 

Mais procurados (20)

10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASP
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 

Semelhante a DevSecOps : The Open Source Way by Yusuf Hadiwinata

Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayYusuf Hadiwinata Sutandar
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of dockerJohn Zaccone
 
DevOps Indonesia #2 - Toolchain & Technology
DevOps Indonesia #2 - Toolchain & TechnologyDevOps Indonesia #2 - Toolchain & Technology
DevOps Indonesia #2 - Toolchain & TechnologyDevOps Indonesia
 
DevOps Indonesia - DevOps Toolchain and Technology
DevOps Indonesia - DevOps Toolchain and TechnologyDevOps Indonesia - DevOps Toolchain and Technology
DevOps Indonesia - DevOps Toolchain and TechnologyMade Mulia Indrajaya
 
Accelerate Application development with WSO2 App Factory
Accelerate Application development with WSO2 App Factory Accelerate Application development with WSO2 App Factory
Accelerate Application development with WSO2 App FactoryWSO2
 
Top 10 Best DevOps tools in 2020
Top 10 Best DevOps tools in 2020Top 10 Best DevOps tools in 2020
Top 10 Best DevOps tools in 2020prafulIQBusiness
 
Best software development tools in 2021
Best software development tools in 2021Best software development tools in 2021
Best software development tools in 2021Samaritan InfoTech
 
Modern e2e-testing-for-complex-web-applications-with-cypressio
Modern e2e-testing-for-complex-web-applications-with-cypressioModern e2e-testing-for-complex-web-applications-with-cypressio
Modern e2e-testing-for-complex-web-applications-with-cypressioMarios Fakiolas
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOpsDaniel Oh
 
Docker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationDocker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationAlex Vranceanu
 
Java Development Company | Xicom
Java Development Company | XicomJava Development Company | Xicom
Java Development Company | XicomRyanForeman5
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA NITIN GUPTA
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 

Semelhante a DevSecOps : The Open Source Way by Yusuf Hadiwinata (20)

Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
DevOps Indonesia #2 - Toolchain & Technology
DevOps Indonesia #2 - Toolchain & TechnologyDevOps Indonesia #2 - Toolchain & Technology
DevOps Indonesia #2 - Toolchain & Technology
 
DevOps Indonesia - DevOps Toolchain and Technology
DevOps Indonesia - DevOps Toolchain and TechnologyDevOps Indonesia - DevOps Toolchain and Technology
DevOps Indonesia - DevOps Toolchain and Technology
 
Accelerate Application development with WSO2 App Factory
Accelerate Application development with WSO2 App Factory Accelerate Application development with WSO2 App Factory
Accelerate Application development with WSO2 App Factory
 
Top 10 Best DevOps tools in 2020
Top 10 Best DevOps tools in 2020Top 10 Best DevOps tools in 2020
Top 10 Best DevOps tools in 2020
 
Best software development tools in 2021
Best software development tools in 2021Best software development tools in 2021
Best software development tools in 2021
 
Modern e2e-testing-for-complex-web-applications-with-cypressio
Modern e2e-testing-for-complex-web-applications-with-cypressioModern e2e-testing-for-complex-web-applications-with-cypressio
Modern e2e-testing-for-complex-web-applications-with-cypressio
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
 
Docker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationDocker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - Presentation
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
Java Development Company | Xicom
Java Development Company | XicomJava Development Company | Xicom
Java Development Company | Xicom
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 

Último

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Último (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

DevSecOps : The Open Source Way by Yusuf Hadiwinata

  • 1. PAGE1 DEVOPS INDONESIA DEVOPS INDONESIA Jakarta, 26 September 2018 DevSecOps: The Open Source Way DevOps Community in Indonesia By Yusuf Hadiwinata Sutandar At
  • 2. PAGE3 DEVOPS INDONESIA DEVOPS INDONESIA HOUSE RULES 100% ATTENTION TAKE NOTES, NOT CALLS RECEIVE KNOWLEDGE, NOT MESSAGES MUTE NOTIFICATIONS FOR SLACK QQ WHATSAPP IMESSAGE EMAIL TELEGRAM SNAPCHAT FACEBOOK WEIBO HANGOUTS VOXER SIGNAL G+ TWITTER VIBER SKYPE WECHAT LINE SMS ...
  • 3. PAGE4 DEVOPS INDONESIA Let’s get know each otherLet's get know each other
  • 4. PAGE5 DEVOPS INDONESIA Linux Geek | OpenSource Enthusiast | Security Hobbies Yusuf Hadiwinata Sutandar
  • 5. PAGE6 DEVOPS INDONESIA Managing risk in a volatile DevOps world
  • 6. PAGE8 DEVOPS INDONESIA Raise You Hand! Who.. ...has heard of Docker?
  • 8. PAGE10 DEVOPS INDONESIA ...has tried Docker? or ...uses Docker?
  • 9. PAGE11 DEVOPS INDONESIA ...uses Docker in production? ...with additional tools?
  • 10. PAGE12 DEVOPS INDONESIA ...or even implement DevSecOps? Or SecDevOps.. DevOpsSec?!! Or maybe SecDevSecOpsSec?
  • 11. PAGE13 DEVOPS INDONESIA WHY DevSecOps? ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? Are practitioners skipping security? ● DevSecOps practitioners say it’s about how to continuously integrate and automate security at scale ● Goal: ● Protecting private User-data/Company daya ● Restricting access ● Standar Compliance
  • 14. PAGE16 DEVOPS INDONESIA GLASS HALF EMPTY, GLASS HALF FULL “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
  • 15. PAGE17 DEVOPS INDONESIA Security is seen as an inhibitor to DevOps Security infrastructure has lagged in its ability to become ‘software defined’ and programmable, making it difficult to integrate... Modern applications are largely ‘assembled,’ not developed, and developers often download and use known vulnerable open-source components and frameworks
  • 16. PAGE18 DEVOPS INDONESIA Applications are ‘assembled’... ...utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Data shows enterprises consumed an average 229,000 software components annually, of which 17,000 had a known security vulnerability
  • 17. PAGE19 DEVOPS INDONESIA THE PERFECT STORM ● Cloud ● DevOps ● Open Source Software ● innovation explosion ● Containers/Microservices ● Digital transformation
  • 18. PAGE20 DEVOPS INDONESIA YOU MANAGE RISK BY ● Securing the Assets/Infra ● Securing the Dev ● Securing the Ops ● Securing the APIs
  • 19. PAGE21 DEVOPS INDONESIA SECURING THE ASSETS ● Building code ● Watching for changes in how things get built ● Signing the builds ● Built assets ● Scripts, binaries, packages (RPMs), containers ● (OCI images), machine images (ISOs, etc.) ● Registries (Service, Container, App) ● Repositories (Local on host images assets)
  • 20. PAGE22 DEVOPS INDONESIA SECURING THE SOFTWARE ASSETS - E.G. IMAGE REGISTRY ● Public and private registries ● Do you require a private registry? ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? ● Who can push images to the registry?
  • 22. PAGE24 DEVOPS INDONESIA SECURING THE ASSETS HEALTH - Security freshness ● Freshness Grade for container security. ● Monitor image registry to automatically replace affected images ● Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment
  • 24. PAGE26 DEVOPS INDONESIA SECURING THE DEVELOPMENT PROCESS ● Potentially lots of parallel builds ● Source code ● Where is it coming from? ● Who is it coming from? ● Supply Chain Tooling ● CI tools (e.g. Jenkins) ● Testing tools ● Scanning Tools (e.g. Black Duck, Sonatype)
  • 25. PAGE28 DEVOPS INDONESIA SECURING THE OPERATIONS ▪ Deployment ▪ Trusted registries and repos ▪ Signature authenticating and authorizing ▪ Image scanning ▪ Policies ▪ Ongoing assessment with automated remediation
  • 26. PAGE29 DEVOPS INDONESIA SECURING THE OPERATIONS Lifecycle ● Blue Green or A/B or Canary, continuous deployments ● Monitoring deployments ● Possibly multiple environments
  • 27. PAGE30 DEVOPS INDONESIA Modern Architectures are API driven requiring a DevOps approach to API management, Visibility, routing, and authorization are key security concerns.
  • 37. PAGE44 DEVOPS INDONESIA Plan - Thread Modeling Tools OWASP Threat Dragon Project Threat Dragon is a free, open-source threat modeling tool from OWASP. It can be used as a standalone desktop app for Windows and MacOS (Linux coming soon) or as a web application. The desktop app is great if you want to try the application without giving it access to your GitHub repos, but if you choose the online version you get to unleash the awesome power of GitHub on your threat models! Obviously, to do this you need to log in first.. https://github.com/appsecco/owasp-threat-dragon-gitlab
  • 39. PAGE46 DEVOPS INDONESIA Docker Host Security Compliance
  • 40. PAGE47 DEVOPS INDONESIA Security Automation for Containers and VMs with OpenSCAP SCAP is a set of specifications related to security automation. SCAP is used to improve security posture - hardening and finding vulnerabilities—as well as regulatory reasons https://github.com/dstraub/satellite-plugin https://github.com/RedHatSatellite/soe-ci https://servicesblog.redhat.com/2017/06/12/standard-operating-environment-part-iii-a- reference-implementation/
  • 41. PAGE48 DEVOPS INDONESIA API-aware Networking and Security Cilium brings API-aware network security filtering to Linux container frameworks like Docker and Kubernetes. Using a new Linux kernel technology called BPF, Cilium provides a simple and efficient way to define and enforce both network-layer and application-layer security policies based on container/pod identity.
  • 42. PAGE49 DEVOPS INDONESIA Secure container-aware credentials storage, trust management. HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a- service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more. https://github.com/jenkinsci/hashicorp-vault-plugin
  • 44. PAGE51 DEVOPS INDONESIA Static source-code analysis / static application security testing (SAST) Brakeman - Rails Security Scanner Static analysis security scanner for Ruby on Rail https://jenkins.io/doc/pipeline/steps/brakeman/ https://jenkins.io/blog/2016/08/10/rails-cd-with-pipeline/
  • 45. PAGE52 DEVOPS INDONESIA Static source-code analysis / static application security testing (SAST) SonarQube is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages https://docs.sonarqube.org/display/SCAN/Analyzing+with+ SonarQube+Scanner+for+Jenkins https://www.owasp.org/index.php/Source_Code_Analysis_ Tools
  • 47. PAGE54 DEVOPS INDONESIA Integrate the image scanning into Jenkins pipelines with clairctl Clairctl is a lightweight command-line tool doing the bridge between Registries as Docker Hub, Docker Registry or Quay.io, and the CoreOS vulnerability tracker, Clair. Clairctl will play as reverse proxy for authentication. https://github.com/jgsqware/clairctl Jenkins CI Image Vulnerability Scan https://github.com/protacon/ci-image-vulnerability-scan https://github.com/jgsqware/clairctl Static Application Security Testing (SAST) Clair: The Container Image Security Analyzer Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker). https://github.com/benfab/clair-demo
  • 48. PAGE55 DEVOPS INDONESIA Dynamic Application Security Testing (DAST) OWASP Zed Attack Proxy Project is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. https://plugins.jenkins.io/zapper https://wiki.jenkins.io/display/JENKINS/Zapper+Plugin https://youtu.be/xMLb7BDdfNo
  • 50. PAGE57 DEVOPS INDONESIA Dynamic Application Security Testing (DAST) Free, Simple, Distributed, Intelligent, Powerful, Friendly. Arachni is a feature-full, modular, high- performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications. https://blog.secodis.com/2016/03/17/automated-security-tests- 3-jenkins-arachni-threadfix/ https://wiki.jenkins.io/display/JENKINS/Arachni+Scanner+plugin
  • 52. PAGE59 DEVOPS INDONESIA Mobile Application Security Testing (MAST) Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. https://medium.com/@omerlh/how-to-continuously-hacking-your-app-c8b32d1633ad https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/10.-MobSF-CI-CD
  • 54. PAGE61 DEVOPS INDONESIA Security Framework Managed Ecosystem for Secure Operations SIMP is an Open Source, fully automated, and extensively tested framework that can either enhance your existing infrastructure or allow you to quickly build one from scratch. Built on the mature Puppet product suite, SIMP is designed around scalability, flexibility, and compliance.
  • 55. PAGE62 DEVOPS INDONESIA Container Security Framework NIST Special Publication 800-190: Application Container Security Guide Access Control; Configuration Management; System and Communications Protection; System and Information Integrity; Audit and Accountability; Awareness and Training; Identification and Authentication; Incident Response; Risk Assessment; https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf
  • 58. PAGE65 DEVOPS INDONESIA Continues learning DevSecOps concepts OWASP DevSecOps Studio Project DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. Features: ● Easy to setup environment with just one command “vagrant up” ● Teaches Security as Code, Compliance as Code, Infrastructure as Code ● With built-in support for CI/CD pipeline ● OS hardening using ansible ● Compliance as code using Inspec ● QA security using ZAP, BDD-Security and Gauntlt ● Static tools like bandit, brakeman, windbags, gitrob, gitsecrets ● Security Monitoring using ELK stack.
  • 59. PAGE66 DEVOPS INDONESIA ● Git server to store code and infrastructure (as code). ● CI/CD pipeline to embed security as part CI/CD like SAST, DAST, hardening, compliance etc., ● Add Security tools as jobs. ● Analyze and fix the issues found. https://github.com/teacheraio/DevSecOps-Studio/wiki
  • 61. PAGE68 DEVOPS INDONESIA Are You Awesome? We are Hiring !
  • 62. PAGE69 DEVOPS INDONESIA Alone We are smart, together We are brilliant THANK YOU ! Quote by Steve