1.
z
DevSecOps
Prashanth Bharathi Prakash

2.
z
Its an evolution..

3.
z
The Facts
• 159,700 total cyber incidents
• 7 billion records exposed in first 3 Qtr
• $5 billion financial impact
• 93% of breaches could have been prevented
*Online Trust Alliance report 2018

4.
z
How we manage software security?
Source: “Managing Application Security”, Security Compass, 2017.

5.
z
Challenges of Secure Software
Development
 Legacy Software
 Writing Secure code is hard
 Lack of security skills
 Emphasis on speed
 Lack of risk focus, audits
and controls points
 Unsupervised collaboration
 Wrong automated tools
 Best practices are
insufficient!
 Vulnerabilities in
development pipeline

6.
z
So we do last minute security..

7.
z
Lets define DevSecOps
 Do we need Security? Obviously! → DevSecOps
 Do we need order in configuration? Sure! → DevSecConfOps
 And do we need to automate? Ideally yes. → DevSecConfAutoOps
 Resilient? This is so important! → DevSecConfAutoResOps
 Backups! We forgot about backups! → DevSecConfAutoResBackOps
 Monitoring :-) → DevSecConfAutoResBackMonOp
 Should I stop here? No → DevSecConfAutoResBackMonNoOp
 Pigeons ate my breakfast while I was entertaining you →
DevSecConfAutoResBackMonNoPigeonsAteMyBreakfastWhileIwasEntertaining
YouOps

8.
z
Security becomes paramount in the new world
of connected devices and must be addressed
without breaking the rapid delivery, continuous
feedback model!

9.
z
The Guiding Principles
 Security is everybody’s business!
 Start with the 3 Ps:
 People
 Process
 Platform
 Establish a process to enable people to succeed in using
platform to develop secure applications
 Build on existing people, process and tools

10.
z
The Guiding Principles
Adopt Secure-by-Design rather than Secure-by-Test approach
Enable development teams to create secure applications
Automate as much as possible
Reuse existing technology as much as possible
Heavy collaboration between all stakeholders

11.
z
People
 Invest in training on security skills!
 Make learning a fun exercise!
 Collaborate heavily (Dev Sec Ops)
 Secure Design Decisions
 Secure Environment Configuration
 Secure Deployment planning
 Secure code review

12.
z
Platforms
 Automate environment
creation and provisioning
 Maintain parity between
environments: dev, QA and
production
 Automated infrastructure
testing
 Be Open-Source aware!

13.
z
Process
 Build on existing risk assessment processes / policies
 Check the awareness of security policies in dev & ops teams
 Create new processes only to improve existing ones
Change is a journey.. Not a sprint !!

14.
z
How to bring-in Operations
Monitor Key KPIs
No. of applications threat modelled / scanned for vulnerabilities
No. of applications reviewed by Architects
No. of security requirements implemented
% of open source libraries analysed
Total number of critical and high vulnerabilities
Number of penetration test vulnerabilities detected
….
Monitor, Feedback, Remediate and Improve

15.
z
DevSecOps In Action
Source
Control
Code
Review
Build
Code
Quality
Deploy Testing A/B TestDesign
Secure
Coding
Cloud-based hosting and access to application services through Cloud Platform Release
Code Analysis
(SonarQube, Coverity and
Black Duck)
Threat Modeling
(Microsoft Threat
Modeller, Secure
Tree)
Secure Coding Practices
(Source Code Warrior, in-
house trainings)
Static Application
Security Scanning
(Fortify, Veracode, Coverity)
Dynamic App Security
Scanner
(Fortify, IBM AppScan,
Chekmarx, Veracode)
DevSecOps Enabling tools
Integrated
Development
Environment (Eclipse,
X-code)
Source Code Repository
(Git / Gerrit)
Continuous Integration
(Jenkins)
Deploy
(Chef, Docker, Kubernetes)
Test
(Selenium, Grid, Cucumber)
DevOps Enabling tools

16.
z
Reference Services for DevSecOps
 Governance
 Maturity Assessment
 Process Engineering
 Secure-By-Design
 Security Training Curriculum
 Threat Modeling
 Code scanning Tool Integration
 SAST, DAST, OSCA
 Penetration Testing
 DevSecOps Operationalization
 Monitoring and Operations
 SEIM Integration
 Infrastructure Security

17.
z
Summary
 DevSecOps is cultural change encompassing people, processes
and technologies.
 There is no “one-size fits-all“ scenario.
 New technologies and ubiquitous access across devices /
platforms makes application security the central focal point in
software development.
DevSecOps is the new mantra in S/W Dev Methodology

18.
z
For more information
 SEI –Carnegie Mellon University
 DevOps Blog: https://insights.sei.cmu.edu/devops
 Webinar : https://www.sei.cmu.edu/publications/webinars/index.cfm
 Podcast : https://www.sei.cmu.edu/publications/podcasts/index.cfm
 DevSecOps: http://www.devsecops.org
 Rugged Software: https://www.ruggedsoftware.org