devsecops

1. !"#$%#&'()*+",#-.(/&-0(1*234)(
5#4*$#&*
67&%7&7(6*,87(9*:'7$

2. WHO AM I
● 9*+",#-.(;%20+7-*(< 9&.=
● OWASP Global Board of Directors – Vice - Chair
● Member of Review Board at BH Asia, Grace Hopper, BSides >0&?*,*&+*),
Global AppSec, etc.
● /&20$2*%(#&(Diversity Initiatives:
○ InfosecGirls
○ WoSec (Wo8*&(/&(9*+",#-.@

3. Dev
Security
Ops
Blame Game

4. Slide Credit: Pete Cheslock

5. Slide Credit: DevSecCon

6. DevSecOps
DevOps Visibility

7. 7
● Confidence ● Compliance
● Observability Traceability
DevSecOps — Profits
7

8. DevSecOps — Integrating Security into DevOps

9. DevSecOps — Integrating Security into DevOps
User Stories

10. DevSecOps — Integrating Security into DevOps
User Stories Secure Coding

11. DevSecOps — Integrating Security into DevOps
User Stories Secure Coding Linting, Scanning

12. DevSecOps — Integrating Security into DevOps
User Stories Secure Coding Linting, Scanning QA

13. DevSecOps — Integrating Security into DevOps
User Stories Secure Coding Linting, Scanning QA Mutating

14. “Shift Left” is not enough
Empowering developers to build applications securely
within the entire development process
of respondents believe developers
should actually own security, but they
aren't well-equipped to do so.
of respondents feel that security is
a major constraint on the ability to
deliver software quickly.
81%
33%
Empower
developers
Enable
security team

15. !"#$%&'()"#*+#&,-"%./-.*++&/,
;++*4-7&+*(
-*)-)
A&#-(-*)-)
/&-*',7-#0&(
-*)-)
9-7-#+(
7&7$.)#)

16. 01*"&2%/.#(,'*"/3"3(+#"3**45('6
;++*4-7&+*(
-*)-)
A&#-(-*)-)
/&-*',7-#0&(
-*)-)
9-7-#+(
7&7$.)#)
B7)- C#%%$#&' 9$0D 9$0D*,

17. 7897:
;&#"
.*%/+&#/.$
E,7%#-#0&7$F5779
9*,2*,$*))
<./4='#&/,
:*>?*'@%+A"8,#*-.(#*4"#1./=-1/=#":*>@%+
1*4*&%*&+.(9*+",#-.G(>0&-7#&*,()*+",#-.G(H#+*&)*(2#0$7-#0&)
I*'#)-,.
%*4$0.
?*'=.&#$";(#*
7/4*
0*+#"B"C&D 0*+#E"C&DE"
F/,&#/.
J"#$%
K"J*,&*-*)
F/,&#/."B"2/.*GGG
0*+#E"C&DE"
F/,&#/.
)"J8#-

18. /&-*',7-*%(E:,0"':0"-(1*29*+34)
69(>0%* /&-*$$#L ;M",*(
I*40)
N#-O"J
!#-J"+=*- N#-H7J
>0&+0",)* L*&=#&)
;M",*(
5#4*$#&*) E*78>#-.
>$0"%(
B0"&%,.
5#20-7$
O*,0=" ;,-#?7+-0,.
8#+,0(?0+")
7/4&,- ?/=.'*"7/,#./) 7897:
7/,#(&,*.+"B"
?*.>*.)*++
9&.=(>H/
9&.=(>H/
<((?
K"J*,&*-*) 9&.=(;5/
H*%/.#&,-"B"
I/#&3&'(#&/,+
P+$#4)*
10+=*,(
O"J
10+=*,(
Q(0-:*,)
;R9(
H78J%7
/!C(
>$0"%
H*-&+#.&*+
9$7+=
L/I;
;M",*(
B"&+-#0&)
!#-!"+=*-(
5#4*$#&*)
;M",*(
>0&-7#&*,(
I*'#)-,.
N00'$*(
>0&-7#&*,(
I*'#)-,.
P$7)-#+(
>0&-7#&*,(
I*'#)-,.

19. ?/3#J(.*"?=%%)$"71(&,A"";(S*D(I#)=(
5,0?#$*
7/4*
@%*,"?/=.'*"7/4*
7/,#(&,*.+
8,3.(+#.='#=.*"
(+"7/4*
● TU<VUW 0?(+0%*J7)*(#)(34*&(90",+*
● TUW(0?(2"$&*,7J#$#-#*)(?0"&%(#&(#&%#,*+-(%*4*&%*&+#*)
● XUU)(0?(H#&"Y(47+=7'*)(#&:*,#-*%(?,08(4"J$#+()0",+*)
● !"#$-G(%*4$0.*%(Q()+7$*%(#&()*+0&%)
● ZX(+$0"%(2"$&*,7J#$#-.(#)(8#)+0&?#'",7-#0& [S9;
● S*-D0,=(7++*))G()-0,7'*G()*,2*,) < %*4$0.*%(
7)(?7)-(7)(+0%*
● XU<]UW(0?(+0%*(#)(+")-08(< -:*(*$*8*&-)(-:7-(87=*(.0",(
744("&#^"*G(J"-(&0(0&*(#)(+08#&'(-0(:*$4(.0"
● 90?-D7,*(%*4$0.*%(%7#$.(< J"-(-.4#+7$()+7&)(-7=*("4(-0(
:0",)_(-:*(`D7-*,?7$$`(744,07+:(%0*)&`-()+7$*(7&.80,*a(

20. K*++/,+")*(.,*4"3./2"!%('1*"?#.=#+A"
(">=),*.(5&)&#$"#1(#")*(4"#/"(".*()L)&3*"1('6
!%('1*"?#.=#+"M7NOLPQRSLTUVWX"(##('6+"#&2*)&,*A"YRTQF"<*/%)*"1(4"1&-1)$"%*.+/,()"4(#("*D%/+*4
Apache is
notified of the
Struts vuln
Apache
releases a fix for
the vuln
An exploit
is made
available
through
exploitDB
Attacks
begins
immediately
after the
exploit is
made
available
Lessons learned
1. Detect fast: Make sure to automatically
monitor for new vulns and that your
database is up-to-date
2. Respond fast: Automated fixing into the
process
3. Do it at scale: with more than 1000 vulns
discovered each year, the scalable way to
find-fix is to empower devs to be the
implementers
;--7+=)F17.

21. Chaos Engineering

22. Chaos Engineering is a disciplined approach to
identifying failures before they become outages. -
Internet

23. How?
● Understand the infrastructure and the environments
● Security Differently
● Open-Source Tools
● Automation
● Compliance
● Security Monitoring

24. Z+*"'(+*+"3/."+*'=.&#$"'1(/+"*,-&,**.&,-
● Incident response
● Security control validation
● Security observability
● Compliance monitoring
O'Reilly book on security chaos engineering by Rinehart and
Kelly Shortridge.

25. People Process Technology
For DevSecOps to succeed

26. Inviting Dev and Ops to participate in Security Activities

27. Interacts with multiple departments, assets & resources

28. Embrace the automation
https://blogs.iadb.org/caribbean-dev-trends/wp-content/uploads/sites/34/2019/06/CCB-Automation-blog.jpg

29. Create more Security Champions
Ref:- https://safecode.org/wp-content/uploads/2019/01/champs-pic-768x549.png

30. Cross Skilling
https://www.accuprosys.com/wp-content/uploads/2014/09/42.jpg

31. Empower Dev /Ops to
deliver better and
faster and secure,
instead of blocking.
https://wondercratekids.files.wordpress.com/2017/11/wc_blog_develop-growth-mindset_empower.jpg

32. Making security as part of the everyday process

33. The goal: Ownership change
Top to Bottom
Shift Left

34. Team Sport
Unsplash.com

35. Key takeaways
● Prepare your Umbrella Before it Rains
(Early AppSec in Pipeline)
● Security is everyone’s responsibilities
● DevSecOps won’t replace your
pentesting activity
● Create a Parallel security pipeline for
more in-depth testing
● Don’t take on risk to generate business
value

36. References:-
● https://dzone.com/articles/shifting-left-devsecops
● https://www.verica.io/blog/security-chaos-engineering-how-to-security-
differently/automate-early-often
● https://www.oreilly.com/library/view/security-chaos-engineering/9781492080350/
● https://www.rsa.com/en-us/blog/2020-12/securing-chaos-how-security-chaos-engineering-
tools-can-improve-design-and-response
● https://www.threatstack.com/blog/security-observability-operationalizing-data-in-
complex-distributed-systems
● https://searchcloudsecurity.techtarget.com/tip/How-to-build-a-cloud-security-
observability-strategy
● https://www.trendmicro.com/en_in/devops/21/f/how-to-achieve-more-security-
observability.html

37. Reach Me!
Twitter: @InfosecVandana
LinkedIn: vandana-verma

38. Thank you!