The document discusses the similarities between making cheesecake and building software applications. It notes that both processes require trusting where ingredients/libraries come from and having transparency in the overall process. This includes knowing the ingredients/libraries, who uses them, and where they are stored. The document advocates integrating security practices like DevSecOps earlier in the development lifecycle to help build more secure applications faster.
4. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Who am I?
• Developer Advocate
• Passionate about Serverless,
Containers, and all things
Cloud
• I love dadjokes, cheesecake
and Go
@LeonStigter
Leon Stigter, Developer Advocate
5. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
• A giant cybersecurity breach
compromised the personal
information of as many as 143
million Americans
• An attacker could exploit “this” by
using a malicious tar binary to write
files to any path on the target
machine whenever
Let’s play a game! Which project is this…
6. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
There are 2 hard problems in computer science:
cache invalidation, naming things, and off-by-1 errors.
- Leon Bambrick
9. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
What is devsecops
SECURITY
The philosophy of integrating security practices within the
DevOps process. #SecurityFirst culture!
How? Introducing security earlier in the life cycle of application
development
10. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
P
Protocols, like zero-trust, to
implement in your pipelines
The three P’s of devsecops
11. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
P
Protocols, like zero-trust, to
implement in your pipelines (what)
Processes, dictating how to add
security to DevOps
The three P’s of devsecops
12. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
P
Protocols, like zero-trust, to
implement in your pipelines (what)
Processes, dictating how to add
security to DevOps
Philosophy, of shared ownership and
cooperation between the teams (why)
The three P’s of devsecops
Source: https://www.infoq.com/articles/evolve-devops-devsecops/
14. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Q1 2019
• More than 1900 incidents (up by
56.4%)
• Close to 2B records exposed (up by
28.9%)
Well, lets talk about numbers
15. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Q1 2019
• 3 breaches with 100M+ records
• Business sector is targeted in 85.6%
• Hacks are 84.8% of breaches
Let’s make it slightly worse
16. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
My personal favorite
“14.7% of breached organizations were
unwilling or unable to disclose the number
of records exposed.”
17. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Let’s welcome on stage our main characters
Making a cheesecake Building an app
Ingredients
Libraries (Jars,
Modules, Gems…)
Recipe Source code
Kitchen stuff (whisk,
bowl, spatula)
Dev tools (editor, cli
tools, vcs)
Appliances (oven,
fridge)
Build tools (CI/CD
server)
Fork Runtime
18. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Will subpar ingredients
get me the best
cheesecake?
Let’s imagine you’re a chef
19. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Where do the vendors I
use get the ingredients
from?
Let’s imagine you’re a chef
20. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
End-to-End
transparency
TRUST
Traceability
What matters for ingredients?
22. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
• Identify what’s in a package
• Identify who’s using it
• Identify where it’s stored
Why do we care about traceability?
23. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
• Versions are tags, and are dynamic
and mutable
• Latest is not always really latest
Docker makes things a little tricky
my-image:5.0
OS layer
1.0
Framework
layer 2.0
Application
layer 2.0
OS layer
1.1
Framework
layer 2.1
Application
layer 2.1
24. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
• It let’s you pull code and
dependencies into production
systems
• It let’s you update databases or call
external services with POST data
Docker makes things a little tricky
25. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Let’s do a quick poll (Question 1)
Who is using Open Source tech?
Yes No
26. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Let’s do a quick poll (Question 2)
Do you have influence over which tools
your company uses?
Yes No
27. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
If you said ”yes” to question 2, you’re not alone…
71% of developers have some influence
in software choices
Source: State of the Developer Nation, 15th edition
28. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
98%
of developers use
Open Source tools
at work
96%
of commercial
apps embed Open
Source
79%
of businesses use
Open Source for
key systems
If you said ”yes” to question 1, you’re definitely not alone…
29. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Trust, but verify…
Do you trust your colleagues?
I hope the answer is yes
30. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Trust is built with consistency
Do you trust the rest of the world?
31. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
End-to-End
transparency
TRUST
Traceability
What matters for ingredients libraries?
32. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
I think it is safe to say that…
Having trust in where your ingredients come from
and who made them is important in both making
cheesecake and software
34. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
35 licenses
• 13 require you to publish
product sources
• 4 allow users to ask for
sources on hosted software
Open source licenses
Source: https://choosealicense.com/appendix/
35. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Source code
Recipes in software
Developers programming in
DevSecOps environments
fix 11x faster than other
developers
36. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
“Security is your friend! Seriously! Developers are the true
sentries of product security, as not introducing accidental
weaknesses in the first place is always much better than even
the fastest hotfix process later on. DevSecOps practices that
make developers into security champions”
37. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
So lets look at some of that in action…
Yes, I’ll use JFrog software but it’s equally applicable to other
software vendors & products too J
39. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Immutability and repeatability
The best way to guarantee issues is force push
Immutable dependencies
Who doesn’t remember left-pad with Node.js?
Lost Dependencies
Do you trust your suppliers enough?
Internet Issues
41. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
• aims to embed security in
every part of the application
lifecycle – run time, build time
and even development time.
• means developing more
secure applications faster
refusing to accept that the two
(secure & fast) are mutually
exclusive!
At the beginning of the process!
Shifting left…
43. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
• Treat DevOps as code (automate
your processes as much as possible)
• Standardize and automate your
security and governance processes
• Get insights into your end-to-end
process (visibility and transparency)
Devsecops do’s
44. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
• Have developers write and maintain
scripts for DevOps
• Think that all current tools and
processes will magically work when
moving to cloud or containers
• Believe that a single vendor has all
tools you need
• Think that security is someone else’s
problem
• Think that a firewall is more than
adequate security
Devsecops don’ts
45. @JFrog | jfrog.com/shownotes | #Meetup | #DevSecOps | @LeonStigter
Trusting your
ingredients
Trusting your
suppliers
Transparency
in your
process
recap