O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

DevSecOps-The Good Bad and Ugly

Working experience sharing about DevSecOps and discussions

  • Seja o primeiro a comentar

DevSecOps-The Good Bad and Ugly

  1. 1. DevSecOps The Good, Bad, and Ugly DevOps TW Meetup #28
  2. 2. 4ndersonLin Whois I am Anderson Lin MaiCoin Cyber Security Engineer AWS Certified All-5 + Sec specialty
  3. 3. Agenda ➔ Security and DevOps ➔ The Good ➔ The Bad ➔ The Ugly
  4. 4. Security and DevOps
  5. 5. Reality Maybe we still need some security: - Business about money and sensitive data - Company policy - Local law and regulation issue
  6. 6. Some interesting data: The trend
  7. 7. DevSecOps The Overview
  8. 8. Life cycle of DevSecOps Build ReleaseTest Plan Monitor Threat modeling SAST Code review Common test DAST Configuration validation Logging Telemetry Detect & response attack Update threat model Analysis incident
  9. 9. DevOps periodic table Ref: https://digital.ai/periodic-table-of-devops-tools
  10. 10. Different Viewpoints DevSecOps: - Dev - Sec - Ops
  11. 11. Developer viewpoint DevSecOps: - Application static/dynamic testing in CI/CD - Secure by design
  12. 12. Security viewpoint DevSecOps: - Policy as code - Vulnerability, Patch - Response
  13. 13. Ops viewpoint DevSecOps: - Reviewable infrastructure (Infra as code) - Monitoring more items
  14. 14. Recap - The life cycle - From different viewpoint - Dev - Sec - Ops - Boss-- Ref: https://eiki.hatenablog.jp/entry/meteo_fall
  15. 15. DevSecOps The GOOD
  16. 16. The GOOD: low hanging fruit Secure by design Left shift of testing - Found and fix the vulnerability early Reviewable infrastructure and policy - IaC - Pac Monitoring makes response faster
  17. 17. DevSecOps The BAD
  18. 18. The BAD: Sometimes we can solve it Performance issue Loss availability Tools are good but people - Threat modeling still need dev team’s help - Trust issue: when the red team coming Vulnerability of sec tools - Exploiting image scanners by matuzg Overdesign Ref: https://medium.com/@matuzg/testing-docker -cve-scanners-part-2-5-exploiting-cve-scan ners-b37766f73005
  19. 19. DevSecOps The UGLY
  20. 20. The UGLY: The Hardest part Misunderstanding or Misconfiguration = Disaster - “... ***-WAF-Role...” ~= 80M USD New tools not stable… - Falco: More false positive alarm... Security is always lagging... Who will take the responsibility? Ref: https://github.com/falcosecurity/falco/issues/1403
  21. 21. Summary
  22. 22. Summary DevSecOps - The Good - The Bad - The Ugly More than tool, process… the key is people and culture
  23. 23. Take away Conference - Blackhat - Defcon - DevSecCon - DevSecOps days - RSA DevSecOps youtube channel - https://www.youtube.com/channel/UCmzqpR98J4KtLj4K7RRRwEw Tools collection - https://github.com/devsecops/awesome-devsecops - https://github.com/4ndersonLin/awesome-cloud-security It’s me! Please contribute!
  24. 24. We are Hiring https://github.com/MaiAmis/Careers
  25. 25. Thanks! Any questions? You can find me at 4nderson.lin@pm.me

×