SlideShare uma empresa Scribd logo

DevSecOps : an Introduction

Transferir como PPTX, PDF
P
Prashanth B. P.

DevSecOps is a cultural change that incorporates security practices into software development through people, processes, and technologies. It aims to address security without slowing delivery by establishing secure-by-design approaches, automating security tools and processes, and promoting collaboration between developers, security engineers, and operations teams. As software and connected devices continue proliferating, application security must be a central focus of the development lifecycle through a DevSecOps methodology.

Tecnologia
1 de 18
z DevSecOps Prashanth Bharathi Prakash
z Its an evolution..
z The Facts • 159,700 total cyber incidents • 7 billion records exposed in first 3 Qtr • $5 billion financial impact • 93% of breaches could have been prevented *Online Trust Alliance report 2018
z How we manage software security? Source: “Managing Application Security”, Security Compass, 2017.
z Challenges of Secure Software Development  Legacy Software  Writing Secure code is hard  Lack of security skills  Emphasis on speed  Lack of risk focus, audits and controls points  Unsupervised collaboration  Wrong automated tools  Best practices are insufficient!  Vulnerabilities in development pipeline
z So we do last minute security..
z Lets define DevSecOps  Do we need Security? Obviously! → DevSecOps  Do we need order in configuration? Sure! → DevSecConfOps  And do we need to automate? Ideally yes. → DevSecConfAutoOps  Resilient? This is so important! → DevSecConfAutoResOps  Backups! We forgot about backups! → DevSecConfAutoResBackOps  Monitoring :-) → DevSecConfAutoResBackMonOp  Should I stop here? No → DevSecConfAutoResBackMonNoOp  Pigeons ate my breakfast while I was entertaining you → DevSecConfAutoResBackMonNoPigeonsAteMyBreakfastWhileIwasEntertaining YouOps
z Security becomes paramount in the new world of connected devices and must be addressed without breaking the rapid delivery, continuous feedback model!
z The Guiding Principles  Security is everybody’s business!  Start with the 3 Ps:  People  Process  Platform  Establish a process to enable people to succeed in using platform to develop secure applications  Build on existing people, process and tools
z The Guiding Principles Adopt Secure-by-Design rather than Secure-by-Test approach Enable development teams to create secure applications Automate as much as possible Reuse existing technology as much as possible Heavy collaboration between all stakeholders
z People  Invest in training on security skills!  Make learning a fun exercise!  Collaborate heavily (Dev Sec Ops)  Secure Design Decisions  Secure Environment Configuration  Secure Deployment planning  Secure code review
z Platforms  Automate environment creation and provisioning  Maintain parity between environments: dev, QA and production  Automated infrastructure testing  Be Open-Source aware!
z Process  Build on existing risk assessment processes / policies  Check the awareness of security policies in dev & ops teams  Create new processes only to improve existing ones Change is a journey.. Not a sprint !!
z How to bring-in Operations Monitor Key KPIs No. of applications threat modelled / scanned for vulnerabilities No. of applications reviewed by Architects No. of security requirements implemented % of open source libraries analysed Total number of critical and high vulnerabilities Number of penetration test vulnerabilities detected …. Monitor, Feedback, Remediate and Improve
z DevSecOps In Action Source Control Code Review Build Code Quality Deploy Testing A/B TestDesign Secure Coding Cloud-based hosting and access to application services through Cloud Platform Release Code Analysis (SonarQube, Coverity and Black Duck) Threat Modeling (Microsoft Threat Modeller, Secure Tree) Secure Coding Practices (Source Code Warrior, in- house trainings) Static Application Security Scanning (Fortify, Veracode, Coverity) Dynamic App Security Scanner (Fortify, IBM AppScan, Chekmarx, Veracode) DevSecOps Enabling tools Integrated Development Environment (Eclipse, X-code) Source Code Repository (Git / Gerrit) Continuous Integration (Jenkins) Deploy (Chef, Docker, Kubernetes) Test (Selenium, Grid, Cucumber) DevOps Enabling tools
z Reference Services for DevSecOps  Governance  Maturity Assessment  Process Engineering  Secure-By-Design  Security Training Curriculum  Threat Modeling  Code scanning Tool Integration  SAST, DAST, OSCA  Penetration Testing  DevSecOps Operationalization  Monitoring and Operations  SEIM Integration  Infrastructure Security
z Summary  DevSecOps is cultural change encompassing people, processes and technologies.  There is no “one-size fits-all“ scenario.  New technologies and ubiquitous access across devices / platforms makes application security the central focal point in software development. DevSecOps is the new mantra in S/W Dev Methodology
z For more information  SEI –Carnegie Mellon University  DevOps Blog: https://insights.sei.cmu.edu/devops  Webinar : https://www.sei.cmu.edu/publications/webinars/index.cfm  Podcast : https://www.sei.cmu.edu/publications/podcasts/index.cfm  DevSecOps: http://www.devsecops.org  Rugged Software: https://www.ruggedsoftware.org

Recomendados

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 

Recomendados

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
Stefan Streichsbier
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
Michael Man
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
Jaap Karan Singh
 

Mais conteúdo relacionado

Mais procurados

DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 

Mais procurados (20)

The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 

Semelhante a DevSecOps : an Introduction

What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Amazon Web Services
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot Environments
DevOps.com
 

Semelhante a DevSecOps : an Introduction (20)

Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptx
 
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot Environments
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

DevSecOps : an Introduction

  • 3. z The Facts • 159,700 total cyber incidents • 7 billion records exposed in first 3 Qtr • $5 billion financial impact • 93% of breaches could have been prevented *Online Trust Alliance report 2018
  • 4. z How we manage software security? Source: “Managing Application Security”, Security Compass, 2017.
  • 5. z Challenges of Secure Software Development  Legacy Software  Writing Secure code is hard  Lack of security skills  Emphasis on speed  Lack of risk focus, audits and controls points  Unsupervised collaboration  Wrong automated tools  Best practices are insufficient!  Vulnerabilities in development pipeline
  • 6. z So we do last minute security..
  • 7. z Lets define DevSecOps  Do we need Security? Obviously! → DevSecOps  Do we need order in configuration? Sure! → DevSecConfOps  And do we need to automate? Ideally yes. → DevSecConfAutoOps  Resilient? This is so important! → DevSecConfAutoResOps  Backups! We forgot about backups! → DevSecConfAutoResBackOps  Monitoring :-) → DevSecConfAutoResBackMonOp  Should I stop here? No → DevSecConfAutoResBackMonNoOp  Pigeons ate my breakfast while I was entertaining you → DevSecConfAutoResBackMonNoPigeonsAteMyBreakfastWhileIwasEntertaining YouOps
  • 8. z Security becomes paramount in the new world of connected devices and must be addressed without breaking the rapid delivery, continuous feedback model!
  • 9. z The Guiding Principles  Security is everybody’s business!  Start with the 3 Ps:  People  Process  Platform  Establish a process to enable people to succeed in using platform to develop secure applications  Build on existing people, process and tools
  • 10. z The Guiding Principles Adopt Secure-by-Design rather than Secure-by-Test approach Enable development teams to create secure applications Automate as much as possible Reuse existing technology as much as possible Heavy collaboration between all stakeholders
  • 11. z People  Invest in training on security skills!  Make learning a fun exercise!  Collaborate heavily (Dev Sec Ops)  Secure Design Decisions  Secure Environment Configuration  Secure Deployment planning  Secure code review
  • 12. z Platforms  Automate environment creation and provisioning  Maintain parity between environments: dev, QA and production  Automated infrastructure testing  Be Open-Source aware!
  • 13. z Process  Build on existing risk assessment processes / policies  Check the awareness of security policies in dev & ops teams  Create new processes only to improve existing ones Change is a journey.. Not a sprint !!
  • 14. z How to bring-in Operations Monitor Key KPIs No. of applications threat modelled / scanned for vulnerabilities No. of applications reviewed by Architects No. of security requirements implemented % of open source libraries analysed Total number of critical and high vulnerabilities Number of penetration test vulnerabilities detected …. Monitor, Feedback, Remediate and Improve
  • 15. z DevSecOps In Action Source Control Code Review Build Code Quality Deploy Testing A/B TestDesign Secure Coding Cloud-based hosting and access to application services through Cloud Platform Release Code Analysis (SonarQube, Coverity and Black Duck) Threat Modeling (Microsoft Threat Modeller, Secure Tree) Secure Coding Practices (Source Code Warrior, in- house trainings) Static Application Security Scanning (Fortify, Veracode, Coverity) Dynamic App Security Scanner (Fortify, IBM AppScan, Chekmarx, Veracode) DevSecOps Enabling tools Integrated Development Environment (Eclipse, X-code) Source Code Repository (Git / Gerrit) Continuous Integration (Jenkins) Deploy (Chef, Docker, Kubernetes) Test (Selenium, Grid, Cucumber) DevOps Enabling tools
  • 16. z Reference Services for DevSecOps  Governance  Maturity Assessment  Process Engineering  Secure-By-Design  Security Training Curriculum  Threat Modeling  Code scanning Tool Integration  SAST, DAST, OSCA  Penetration Testing  DevSecOps Operationalization  Monitoring and Operations  SEIM Integration  Infrastructure Security
  • 17. z Summary  DevSecOps is cultural change encompassing people, processes and technologies.  There is no “one-size fits-all“ scenario.  New technologies and ubiquitous access across devices / platforms makes application security the central focal point in software development. DevSecOps is the new mantra in S/W Dev Methodology
  • 18. z For more information  SEI –Carnegie Mellon University  DevOps Blog: https://insights.sei.cmu.edu/devops  Webinar : https://www.sei.cmu.edu/publications/webinars/index.cfm  Podcast : https://www.sei.cmu.edu/publications/podcasts/index.cfm  DevSecOps: http://www.devsecops.org  Rugged Software: https://www.ruggedsoftware.org

Notas do Editor

  1. Placing Sec between Dev and Ops is the ideal way to show that one doesn't understand anything about sorting apples and oranges.
  2. DevSecOps Operationalization Monitoring and Operations SEIM Integration Infrastructure Security