The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
Seu SlideShare está sendo baixado.
×
Confira estes a seguir
Mais Conteúdo rRelacionado
Diapositivos para si (20)
Semelhante a Dev{sec}ops (20)
Mais recentes (20)
Dev{sec}ops
- 1. Dev{Sec}Ops AUTOMATION CAN BE SECURITY FRIENDLY
- 2. The Talk Dev{Sec}Ops - Automation can be Security Friendly Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
- 3. Dev – Ops Culture DevOps DevSecOps SecDevOps DevSecAuditOps Security Team’s Problems That security guy
- 4. Shift Left …? How about “Extend Left and Right”?
- 5. Steven Carlson Software Engineer who is passionate about clean secure code. https://rockrunner007.github.io/ The guy on the far right… people do odd things when they ride a bicycle for 7 straight days… #RAGBRAI2019
- 6. The Stage HIGHLY REGULATED INDUSTRY OR NOT?!
- 7. Choose Policy and/or Goal GDPR SOC 1 | 2 | 3 PCI NIST
- 8. COVID-19 Reliable Easy to use Secure Feature Rich Efficient
- 9. The Policy A Secure Software Development Life Cycle Policy or SDL This process requires that an applications be designed, developed, and maintained to protect the integrity of all application functions as well as sensitive data collected in association with the application.
- 10. Secure Phase Guidance Find it early. Fix it early. Implement a proactive approach to discover and mitigate security issues in the early stages of SDL thereby significantly reducing the cost of fixing the post-production vulnerabilities. Avoid replicating vulnerabilities Vulnerabilities get copied and replicated across the code base, it magnifies risk in individual projects and possibly across multiple projects. Then it becomes a big development effort to clean up those vulnerabilities. Learn from constant feedback Constant feedback and successful collaboration between developers and security team will reduce the risk factor throughout SDL.
- 11. The Program SCANNING + PRODUCT REVIEW + ACCESS MANAGEMENT = SDL
- 12. General Guidance Code analysis Embed automatic software vulnerabilities detection tools such as Checkmarx into your DevOps pipelines. Change management Increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad. Compliance monitoring Automate compliance and be ready for an audit at any time (which means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance, etc.). Threat investigation Identify potential emerging threats with each code update and be able to respond quickly. Vulnerability assessment Identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched. Security training Train software and IT engineers with guidelines for set routines.
- 13. Threat Modeling What are we building? What can go wrong? What are we going do about it? How well are we doing?
- 14. Threat Dragon Resource: https://owasp.org/www-project- threat-dragon/ Example: https://github.com/RockRunner007/Security- Programs
- 15. Source Code Scanning Reviewing the source for a product Password Search Bad patterns Known framework issues
- 16. Checkmarx Resource: https://www.checkmarx.com/ Example: https://github.com/RockRunner007/SAST_Aut omation
- 17. Open Source Scanning Security Risk due to known vulnerabilities with packages or package dependencies License Compliance checking for known license and comparing to company policy
- 18. jFrog Xray Resource: https://jfrog.com/xray Example: https://github.com/RockRunner007/SCA_Aut omation
- 19. Secrets Management Passwords API Keys Hashing Salt + Vector + Work Factor SSL Cert
- 20. Security for Bitbucket Resource: https://marketplace.atlassian.com/apps/1221 399/security-for- bitbucket?hosting=server&tab=overview Example: https://github.com/RockRunner007/SM_Auto mation
- 21. Deployed Application Scanning Crawl a deployed application Use an authenticated user Scheduled scans
- 22. Rapid 7 Insight Appsec Resource: https://www.rapid7.com/products/insightapp sec/ Example: https://github.com/RockRunner007/DAST_Au tomation
- 23. Product Score Card Measure product security stance Measure development readiness Communicate leadership and SDL expectation
- 24. Product Review Program Resource: Q2 DevSecOps Team Example: https://github.com/RockRunner007/Security- Programs
- 25. Security Champion Enable engineers to leverage the SDL Point person for application security questions Partnership on scanning configuration Partnership on product development
- 26. Security Champion Playbook Resource: https://github.com/c0rdis/security- champions-playbook Example: https://github.com/RockRunner007/Security- Programs
- 27. The Opera OPERATION … SEE WHAT I DID THERE?!
- 28. All Together Now
- 29. Dashboard Data from security program Break it down per product Results from before SDL and now
- 30. Exam | Audit Time History of all scan per product Policies each scan is configured with Listing of user’s access and permissions Track of remediation
- 31. Customer Penetration Test
- 32. Shift Left …? How about “Extend Left and Right”?
- 33. Easy as 1 2 3 …?
- 34. Feedback? QUESTIONS?!
- 35. Steven Carlson Software Engineer who is passionate about clean secure code. https://rockrunner007.github.io/ The guy on the far right… people do odd things when they ride a bicycle for 7 straight days… #RAGBRAI2019
