SlideShare uma empresa Scribd logo

Introduction to DevSecOps

A
abhimanyubhogwan

Link to Youtube video: https://youtu.be/-awH_CC4DLo You can contact me at abhimanyu.bhogwan@gmail.com My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/ Basic Introduction to DevSecOps concept Why What and How for DevSecOps Basic intro for Threat Modeling Basic Intro for Security Champions 3 pillars of DevSecOps 6 important components of a DevSecOps approach DevSecOps Security Best Practices How to integrate security in CI/CD pipeline

Educação
1 de 19
Abhimanyu Bhogwan InfoSec Consultant with 10 yrs of experience in multiple security domains Hobbies: yoga , driving , music
Introduction to DevSecOps
What is DevOps? • DevOps (development and operations) is an enterprise software development phrase used to mean a type of agile relationship between development and IT operations. • The goal of DevOps is to change and improve the relationship by advocating better communication and collaboration between these two business units
Evolution of DevOps
What is DevSecOps? • DevSecOps refers to ‘DevOps with integrated security.’ • DevSecOps promotes ‘security is a shared responsibility’ culture wherein security is not a responsibility for only one specific team, but everyone in the team is accountable for security. • DevSecOps aims to integrate security controls in the early stage of software development, rather than implementing at the end.
Integrating Security in DevOps
Why do we need DevSecOps • DevOps’ focus on speed often leaves security teams flat-footed and reactive • Cultural resistance to security • DevOps and cloud environments • Containers and other tools carry their own risks • Unmanaged secrets and poor privileged access controls open dangerous backdoors • to help expedite workflows, DevOps teams may allow almost unrestricted access to privileged accounts (root, admin, etc.)
Uber Delivers a Cautionary Lesson for the DevOps Culture • It’s arguable what was more egregious about Uber’s breach of information of 57 million customers as well as roughly 600,000 drivers; the fact that Uber paid hackers hush money to conceal the hack from the public for months, or the reckless disregard for proper security that led to the hack. • In this instance, an Uber employee published credentials on GitHub, a popular cloud-based, open- source code repository used by developers. A hacker simply captured the Uber credentials off GitHub, then leveraged them for privileged access on Uber’s Amazon AWS Instances. As inexcusable (or at least as inadvisable) as this practice sounds, developers commonly embed authentication credentials and other DevOps secrets haphazardly into code for easy access.
Here are six important components of a DevSecOps approach: • Code analysis – deliver code in small chunks so vulnerabilities can be identified quickly. • Change management – increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad. • Compliance monitoring – be ready for an audit at any time (which means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance, etc.). • Threat investigation – identify potential emerging threats with each code update and be able to respond quickly. • Vulnerability assessment – identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched. • Security training – train software and IT engineers with guidelines for set routines.
DevOps Security Best Practices Embrace a DevSecOps model:Embrace Enforce policy & governanceEnforce Automate your DevOps security processes and toolsAutomate Perform comprehensive discoveryPerform Conduct vulnerability managementConduct Adopt configuration managementAdopt Secure access with DevOps secrets managementSecure Control, monitor, and audit access with privileged access management Control, monitor, and audit Segment networksSegment
Integrate Security in CI/CD pipeline
Different aspects of DevSecOps security in the software lifecycle including tools • Static Code Analysis – Scans for vulnerabilities in the code after coding but before unit testing during development (e.g. SonarQube) • Configuration Management and Compliance – Know how your application is configured and whether it follows your policies (e.g., Ansible, Chef, Puppet) • Dynamic Code Analysis – Scan your code for vulnerabilities in how it performs. Execute unit tests to find errors (e.g., SonarLint, VeraCode) • Vulnerability Scanning – Automatically identify known issues in your application for penetration testing (e.g., Nessus) • Infrastructure as Code – Ensures the application is deployed securely and without errors in a repeatable manner (e.g., Ansible) • Continuous Monitoring – Information on how the application is running, collected and monitored to identify issues and feed future improvements. This is done in production environment. (e.g. Splunk, AppDynamics) • Container Security – monitor and protect containers (e.g., BlackDuck)
DevSecOps has three Pillars of Strength People • Trust • Collaboration • Transparency • Communicati on • Incentive and responsibility alignment • Governance Tools • Build • Test • Deploy • Monitor • Security • Logging Process • Continuous Integration • Continuous Testing • Continuous Delivery • Continuous Monitoring • Configuration Management
Security Champions in DevSecOps • Who are Security Champions? • Security Champions are "active members of a team that may help to make decisions about when to engage the Security Team". They act as a core element of security assurance process within the product or service, and hold the role of the Single Point of Contact (SPOC) within the team. • What benefits do Champions bring to my company? • Scaling security through multiple teams • Engaging "non-security" folks • Establishing the security culture
Threat Modeling DevSecOps threat modeling is an organizational culture that ensures security is a consideration from the beginning stages of development. Organizations can use DevSecOps to build more secure applications without causing a lot of friction in their build and deploy process
SAST & DAST Static application security testing (SAST) SAST is also known as “white-box testing”, meaning it tests the internal structures or workings of an application, as opposed to its functionality. It operates at the same level as the source code in order to detect vulnerabilities. Since the SAST analysis is conducted before code compilation, and without executing it, this tool can be applied early on in the software development lifecycle (SDLC). Most SAST tools support the major web languages: PHP, Java, and .Net, and some form of C, C++, or C#. Dynamic application security testing (DAST) DAST is a “black box testing” method, meaning it is performed from the outside in. The principle revolves around introducing faults to test code paths on an application. For instance, it can use threat data feeds to detect malicious activity. DAST doesn’t require source code or binaries since it analyzes by executing the application.
IAST and RASP Interactive application security testing (IAST) AST uses software instrumentation to assess how an application performs and detect vulnerabilities. IAST has an “agent-like” approach, meaning agents and sensors are run to continually analyze the application workings during automated testing, manual testing, or a mix of the two. The process and feedback are done in real time in your integrated development environment (IDE), continuous integration (CI) environment, or quality assurance, or while in production. The sensors have access to: the entire code; data-flow and control-flow; system configuration data; web components; and back-end connection data. Runtime application self-protection (RASP) RASP is capable of inspecting application behavior, as well as the surrounding context. It captures all requests to ensure they are secure and then handles request validation inside the application. RASP can raise an alarm in diagnostic mode and prevent an attack in protection mode, which is done by either stopping the execution of a certain operation or terminating the session.
Conclusion • DevSecOps needs to be a proactive customer centric approach rather than a reactive approach. • DevSecOps benefits include cost reduction, speed of delivery, speed of recovery, compliance at scale etc. • DevSecOps helps us detect and fix issues earlier in the development process thus reducing greatly the cost associated with identifying and fixing them.

Recomendados

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 

Recomendados

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Tomas Honzak
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
idsecconf
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
Enov8
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps Workflow
Enov8
 

Mais conteúdo relacionado

Mais procurados

The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 

Mais procurados (20)

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 

Semelhante a Introduction to DevSecOps

DevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and Delivery
Dev Software
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
Nadira Bajrei
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
Ajeet Singh
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
Techugo
 

Semelhante a Introduction to DevSecOps (20)

Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps Workflow
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital LandscapeDevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital Landscape
 
DevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and Delivery
 
How DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptxHow DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptx
 
Scanning in DevSecOps: A Detailed Guide
Scanning in DevSecOps: A Detailed GuideScanning in DevSecOps: A Detailed Guide
Scanning in DevSecOps: A Detailed Guide
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineDevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps Pipeline
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLC
 
DevSecOps Security: Is it Necessary?
DevSecOps Security: Is it Necessary?DevSecOps Security: Is it Necessary?
DevSecOps Security: Is it Necessary?
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise Devsecops
 
Ensuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps SecurityEnsuring Secure and Efficient Operations with DevOps Security
Ensuring Secure and Efficient Operations with DevOps Security
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
 

Último

Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Sapana Sha
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Krashi Coaching
 

Último (20)

Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 

Introduction to DevSecOps

  • 1. Abhimanyu Bhogwan InfoSec Consultant with 10 yrs of experience in multiple security domains Hobbies: yoga , driving , music
  • 3. What is DevOps? • DevOps (development and operations) is an enterprise software development phrase used to mean a type of agile relationship between development and IT operations. • The goal of DevOps is to change and improve the relationship by advocating better communication and collaboration between these two business units
  • 5. What is DevSecOps? • DevSecOps refers to ‘DevOps with integrated security.’ • DevSecOps promotes ‘security is a shared responsibility’ culture wherein security is not a responsibility for only one specific team, but everyone in the team is accountable for security. • DevSecOps aims to integrate security controls in the early stage of software development, rather than implementing at the end.
  • 7. Why do we need DevSecOps • DevOps’ focus on speed often leaves security teams flat-footed and reactive • Cultural resistance to security • DevOps and cloud environments • Containers and other tools carry their own risks • Unmanaged secrets and poor privileged access controls open dangerous backdoors • to help expedite workflows, DevOps teams may allow almost unrestricted access to privileged accounts (root, admin, etc.)
  • 8. Uber Delivers a Cautionary Lesson for the DevOps Culture • It’s arguable what was more egregious about Uber’s breach of information of 57 million customers as well as roughly 600,000 drivers; the fact that Uber paid hackers hush money to conceal the hack from the public for months, or the reckless disregard for proper security that led to the hack. • In this instance, an Uber employee published credentials on GitHub, a popular cloud-based, open- source code repository used by developers. A hacker simply captured the Uber credentials off GitHub, then leveraged them for privileged access on Uber’s Amazon AWS Instances. As inexcusable (or at least as inadvisable) as this practice sounds, developers commonly embed authentication credentials and other DevOps secrets haphazardly into code for easy access.
  • 9. Here are six important components of a DevSecOps approach: • Code analysis – deliver code in small chunks so vulnerabilities can be identified quickly. • Change management – increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad. • Compliance monitoring – be ready for an audit at any time (which means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance, etc.). • Threat investigation – identify potential emerging threats with each code update and be able to respond quickly. • Vulnerability assessment – identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched. • Security training – train software and IT engineers with guidelines for set routines.
  • 10. DevOps Security Best Practices Embrace a DevSecOps model:Embrace Enforce policy & governanceEnforce Automate your DevOps security processes and toolsAutomate Perform comprehensive discoveryPerform Conduct vulnerability managementConduct Adopt configuration managementAdopt Secure access with DevOps secrets managementSecure Control, monitor, and audit access with privileged access management Control, monitor, and audit Segment networksSegment
  • 11. Integrate Security in CI/CD pipeline
  • 12. Different aspects of DevSecOps security in the software lifecycle including tools • Static Code Analysis – Scans for vulnerabilities in the code after coding but before unit testing during development (e.g. SonarQube) • Configuration Management and Compliance – Know how your application is configured and whether it follows your policies (e.g., Ansible, Chef, Puppet) • Dynamic Code Analysis – Scan your code for vulnerabilities in how it performs. Execute unit tests to find errors (e.g., SonarLint, VeraCode) • Vulnerability Scanning – Automatically identify known issues in your application for penetration testing (e.g., Nessus) • Infrastructure as Code – Ensures the application is deployed securely and without errors in a repeatable manner (e.g., Ansible) • Continuous Monitoring – Information on how the application is running, collected and monitored to identify issues and feed future improvements. This is done in production environment. (e.g. Splunk, AppDynamics) • Container Security – monitor and protect containers (e.g., BlackDuck)
  • 13. DevSecOps has three Pillars of Strength People • Trust • Collaboration • Transparency • Communicati on • Incentive and responsibility alignment • Governance Tools • Build • Test • Deploy • Monitor • Security • Logging Process • Continuous Integration • Continuous Testing • Continuous Delivery • Continuous Monitoring • Configuration Management
  • 14. Security Champions in DevSecOps • Who are Security Champions? • Security Champions are "active members of a team that may help to make decisions about when to engage the Security Team". They act as a core element of security assurance process within the product or service, and hold the role of the Single Point of Contact (SPOC) within the team. • What benefits do Champions bring to my company? • Scaling security through multiple teams • Engaging "non-security" folks • Establishing the security culture
  • 15.
  • 16. Threat Modeling DevSecOps threat modeling is an organizational culture that ensures security is a consideration from the beginning stages of development. Organizations can use DevSecOps to build more secure applications without causing a lot of friction in their build and deploy process
  • 17. SAST & DAST Static application security testing (SAST) SAST is also known as “white-box testing”, meaning it tests the internal structures or workings of an application, as opposed to its functionality. It operates at the same level as the source code in order to detect vulnerabilities. Since the SAST analysis is conducted before code compilation, and without executing it, this tool can be applied early on in the software development lifecycle (SDLC). Most SAST tools support the major web languages: PHP, Java, and .Net, and some form of C, C++, or C#. Dynamic application security testing (DAST) DAST is a “black box testing” method, meaning it is performed from the outside in. The principle revolves around introducing faults to test code paths on an application. For instance, it can use threat data feeds to detect malicious activity. DAST doesn’t require source code or binaries since it analyzes by executing the application.
  • 18. IAST and RASP Interactive application security testing (IAST) AST uses software instrumentation to assess how an application performs and detect vulnerabilities. IAST has an “agent-like” approach, meaning agents and sensors are run to continually analyze the application workings during automated testing, manual testing, or a mix of the two. The process and feedback are done in real time in your integrated development environment (IDE), continuous integration (CI) environment, or quality assurance, or while in production. The sensors have access to: the entire code; data-flow and control-flow; system configuration data; web components; and back-end connection data. Runtime application self-protection (RASP) RASP is capable of inspecting application behavior, as well as the surrounding context. It captures all requests to ensure they are secure and then handles request validation inside the application. RASP can raise an alarm in diagnostic mode and prevent an attack in protection mode, which is done by either stopping the execution of a certain operation or terminating the session.
  • 19. Conclusion • DevSecOps needs to be a proactive customer centric approach rather than a reactive approach. • DevSecOps benefits include cost reduction, speed of delivery, speed of recovery, compliance at scale etc. • DevSecOps helps us detect and fix issues earlier in the development process thus reducing greatly the cost associated with identifying and fixing them.