1) The document discusses the challenges of implementing application security in a DevOps environment, noting that while many organizations are adopting DevOps, few are integrating security testing during development. 2) It presents the DevSecOps approach which incorporates security capabilities and practices into DevOps technologies, processes, and culture through principles of collaboration, continuous improvement, automation, and security as code. 3) Key aspects of DevSecOps discussed include threat modeling, static and dynamic application security testing integrated into the development pipeline, container security, analytics dashboards for visualizing security metrics and risks, and maturity models for prioritizing applications based on risk assessments.

1. DevSecOpsIndonesia
Pain & Pleasure of doing AppSec
in
DevOps
Suman
Sourav

2. ABOUT ME
• 14+ Years of experience in Application Security
• Certified Secure Software Lifecycle Professional (CSSLP)
• Co-Leader of DevSecOps Singapore & Indonesia
• Community Ambassador – DevOps Institute
• Full time student – learning from people around me
DevSecOpsIndonesia

3. DevSecOpsIndonesia
Application Security-Non Functional Requirements ?
Security Team
Application
Security
DevOps Team
DevOps
Tools

4. DevSecOpsIndonesia
I am not kidding-No Offense !
Confluence
JIRA
BitBucket
Bamboo
Artifactory
Jenkins
(master)
Jenkins
(slave)
SonarQube
Selenium
Grids
Web Archive
Containerized
(Docker image)
Dev
(Docker)
App Server
Early scans during CI to ensure code quality
and coverage
Parallel execution of test
cases
Current
Recommended
Orchestrated
SIT, UAT, Prod
TDD/BDD

5. DevSecOpsIndonesia
This is same across all industries
Development Operations
QA
Customer
Centric
Immediate
Results
Automation
Scale
Agile
90%of surveyed
organizations are
implementing or
piloting DevOps
and
99%Agree DevOps is an opportunity to
improve application security
but only
20%Are doing application
security testing during
development
SecOps
SecOps Needs to Shift Left

6. DevSecOpsIndonesia
Moving From To
Waterfall Agile & DevOps
Physical or
Virtual Server
Cloud & Containers
Scalable
InstrumentedMonolithic
or N-Tier
APIs &
Micro services
Architecture
Deployment
Development
Process
Ideally
Continuous
Changing Landscape

7. DevSecOpsIndonesia
Reference: Cloud Security Alliance : Security Guidance for Early Adopters of the Internet of Things – April 2015
API is evolving fast

8. DevSecOpsIndonesia
Defensive security in era of DevOps
Organization fails to map the security threats to
the risk management process
• faster release cycles
• automated security testing
• tons of security results
• silo culture
Threat
Modeling
Attack Surface
areas
Risk
Analysis

9. DevSecOpsIndonesia
DevOps Approach
• People
 Collaboration
 Training
• Process
 Continuous Improvement
 Continuous Testing
• Technology
 Self Service
 Automation

10. DevSecOps Approach
3S Principles
TECHNOLOGY
Security Capabilities
DEVSECOPS
• Incorporate security capabilities in
DevOps collaborative technologies.
• Deploy security solutions to
support; security scanning, code
quality, reporting and data
dissemination capabilities.
• Institutionalize security
through standardization
and documented
business processes.
• Implement and prioritize
project methods and
roadmaps in alignment
with development &
security goals.
• Tie rules of engagement
to corporate security
mission, vision and
strategy.
• Provide clear goals,
metrics and KPI’s
aligned with security
strategy
• Establish training and
incentive programs to
modify or encourage
security-driven decisions.
• Align user needs and security
skills with compliance needs.
DevSecOpsIndonesia

11. DevSecOpsIndonesia
Secure Engineering Development Practice
DEVELOPMENT BUILD AND
DEPLOY
STAGINGREQUIREMENTS
External
Repositories
Common Components
DESIGN
Repository
DAST/SecurityQAThreat
Modeling
SAST
VS/PT/IAST/
Fuzzing
Components
Monitoring
Monitoring
SCM Tools
PRODUCTION
SAST : Static Application Security Testing
DAST : Dynamic Application Security Testing
IAST : Interactive Application Security Testing
VS : Vulnerability scanning
PT : Penetration Testing

12. DevSecOpsIndonesia
Does this make sense ?
Confluence
JIRA
BitBucket
Bamboo
Artifactory
Jenkins
(master)
Jenkins
(slave)
Web Archive
Containerized
(Docker image)
Dev
(Docker)
App Server
SonarQube
Selenium Grids
Parallel execution of test
cases
Orchestrated
SIT, UAT, Prod
TDD/BDD
Current
Recommended
Security
SAST
Security
Requirements
Early scans during CI to ensure code
quality and coverage
Early SAST and SCA scans to discovers security
issues
Container
Security
Regulatory Security requirements
Container Security Scanning and Monitoring

13. DevSecOpsIndonesia
Evaluate | security controls, integration and
adoption
Expose | threats, risks and scores
Encapsulate | what , when where and why
Efficient | decision making and investment
Data analytics in security
Contextual
decision
making
Seamless
design to
execution
Predictive
Analysis
Real time
collaboration

14. DevSecOpsIndonesia
Building analytics database
0
2
4
6
8
10
SAST
DAST
SecurityQA
VS/Fuzzing
IAST
Analytics
DB
SIEM
Security metrics
template
TM

15. DevSecOpsIndonesia
Master
Branch1
Compile Test Publish Deploy
Build
GitHub Build Tools Deploy Env
Open Source Libraries
DevSecOps Orchestration Platform
• Sec Requirements
• Design Review
• Threat Modelling
• Security Unit Tests
• SAST
• SCA
• DAST
• IAST
• VA
• Security as Code
• RASP
• NG WAF
Security As a service
Vulnerability
Normalization &
Analytics
Feedback Loop

16. DevSecOpsIndonesia
OWASP DevSecOps Maturity Model
Reference : https://docs.google.com/presentation/d/1rrbyXqxy3LXAJNPFrVH99mj_BNaJKymMsXZItYArWEM/edit#slide=id.g1560ae0085_5_74

17. Continuous Security Testing
Reference: https://docs.google.com/presentation/d/1dAewXIHgBEKHKwBPpM5N_G2eM6PRpduoGJrp6R6pNUI/edit#slide=id.p

18. DevSecOpsIndonesia
All the app will be
analyzed for RA levels
based on their Risk
Assessment Score
Risk Assessment DevOps SMM3 SMM2 SMM1
RA2RA1
METRICS
Baseline RequirementsBaseline RequirementsBaseline Requirements
Additional Requirements Additional Requirements
Architecture Risk Analysis
Application ThreatModeling
SCORESCORE
Automated scanning
SCORE
Risk Assessment
SECURITY MATURITY SCORE
MATURITY
RA3
Architecture Risk Analysis
• All the app will go
through the baseline
assessment as per
current assessment
process
• Automated assessment
will be done based on
Maturity Requirements
• Architecture Risk
Analysis will be required
for RA 2 & RA 1 Apps
• Applicartion
Threatmodeling will be
done only for RA 1 Apps
• Security Maturity Score
will be calculated after
each assessment
Setting up priorities

19. DevSecOpsIndonesia
We can eliminate and minimize the threats if
we change our engineering development
practice
○ Incorporate security as culture
○ Investment in the right directions
○ Innovate the processes that suits our
organization
Are we ready for change ?

20. DevSecOpsIndonesia
Connecting
Teams
Connecting
Insight
Connecting
Outcomes
Connecting
Delivery
Welcome to the Era of Connection. Are you ready?
Bid data analytics can change
the state of security in an
organization and can offer
valuable insights into business
risks far beyond IT
technologies are available to
take a look in much more detail
around machine-generated data
and user-generated data to
understand what is happening
inside of an organization

21. DevSecOpsIndonesia
“The challenge for security in DevOps is
not the technology but the people”