1.
DevSecOps
Joel Divekar
KL, Malaysia
WhatsApp : +60 123700515 / +91 9920208223
Mail : joel.divekar@gmail.com
Skype : joel_divekar@hotmail.com
Blog: http://joeldivekar.blogspot.com/
Linkedin : http://www.linkedin.com/in/joeldivekar
Presentation : http://www.slideshare.net/JoelDivekar

2.
What is DevOps ?

3.
DevOps is a Philosophy
Not a method
Nor a framework
Nor knowledge

4.
DevOps is
Unifying Development and
Operations
It’s a way of doing development
activities,
a way of thinking
Its a Culture

5.
DevOps is ...
Automation
of various tasks for
application / service deployment
and its management

6.
DevOps process
 Developer writes the code and pushes it to centralised repository
 Central repository maintains version control
 CI / CD server pulls the code and compiles & builds artifacts/binaries
 These artifacts/binaries are then pushed to the central repository
 Then artifacts/binaries are pulled out and deployed to staging for testing
 Depending upon the deployment stategy services are deployed as a
containers
 After successful UAT/QA the deployment is done on production environment
 And production uptime is monitored using monitoring services

7.
Key Phases of DevOps
 Version Control
 Continuous Integration / Continuous
Deployment
 Configuration Management / Automation
 Virtualisation / Containers
 Monitoring
 Logs management

8.
Open Source Tools
 Version Control – Git
 Build and CI – Ant, Maven, Gradle, Jenkin, Hudson ...
 Configuration Management / Automation – Chef,
Puppet, Ansible
 Virtualisation – VirtualBox, Xen
 Container – LXC, Docker, Kubernetes, Rocket
 Monitoring – Nagios Core, Icinga 2
 Logging – Graylog, Logstash
 Security – Nmap, OSSEC, OpenVAS, Metasploit ...

9.
Well this is old way of doing things
Now its ...

10.
Dev.Sec.Ops

11.
DevSecOps brings in new changes

12.
 Before developers can push the code to centralised repository, it is
checked for sensitive information like access keys, SSH keys
 Also config files are checked for credentials
 Software stack is analysed for unpatched vulnerabilities &
dependencies
 Automated security code reviews for SQL injections, cross-site
scripting etc
 Web Application scanners are scanning target applications / micro
services (APIs) for vulnerabilities

13.
 Container images are scanned before being used
 Also whole production network / environment are scanned for
vulnerabilities
 Organisations apply compliance controls for their infrastructure to
abide by defined best practices and regulations like PCI DSS, PA
DSS, HIPAA, SOX etc
 Now that production systems are faced with new and unknow
threats or unforseen vectors so monitoring & server logging systems
are inplace to alert any anomolies noticed or zero day attacks

14.
Thanks
End of part - I

15.
DevSecOps – Part IIDated : 26th Aug 2019
Joel Divekar
KL, Malaysia
WhatsApp : +91 9920208223 / +60 123700515
Mail : joel.divekar@gmail.com
Skype : joel_divekar@hotmail.com
Blog: http://joeldivekar.blogspot.com/
Linkedin : http://www.linkedin.com/in/joeldivekar
Presentation : http://www.slideshare.net/JoelDivekar

16.
Server Hardening
Open source audit tool – Lynis (1/3)
Lynis is a tool which audits server to check vulnerabilities and gives
you audit report with suggestions
- Kernel
- Boot & services
- Memory & running processes
- Users and groups
- Authentications
- Shells
- File system
- DNS services
- Networking
- SSH
- SNMP support
- Logging
- Scheduled / Cron jobs
- Time service
- File integrity / permissions
- Malware / Antivirus tools

17.
Server Hardening
Open source audit tool – Lynis (2/3)
Installing & using Lynis
1] Create /etc/yum.repos.d/cisofy-lynis.repo
# vi /etc/yum.repos.d/cisofy-lynis.repo
and add
[lynis]
name=CISOfy Software - Lynis package
baseurl=https://packages.cisofy.com/community/lynis/rpm/
enabled=1
gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
gpgcheck=1
priority=2
and save the file

18.
Server Hardening
Open source audit tool – Lynis (3/3)
Lynis (continued)
2] Update additional packages
# yum update ca-certificates curl nss openssl
3] Installing Lynis
# yum install lynis
3] Running audit
# lynis audit system

19.
Thanks for your time
&
please join my meetup groups
DevSecOps
Infra / Cloud Security
Blockchain