Anúncio
Demystifying DevSecOps
16 de Jul de 2018•0 gostou•691 visualizações
0 gostaram
Seja o primeiro a gostar disto
mostrar mais
visualizações
Vistos totais
0
No Slideshare
0
De incorporações
0
Número de incorporações
0
Baixar para ler offline
Denunciar
Software
Demystifying DevSecOps
Archana JoshiSeguir
IT Transformation ConsultantAnúncio
Anúncio
Anúncio
Demystifying DevSecOps
- Demystifying DevSecOps Archana Joshi Director – Digital Engineering, Cognizant
- Did you know? Over 53, 000 cyber security incidents like phishing, website intrusions and defacements, virus and ransomware attacks were observed in the country during 2017, Parliament was informed today…. Source: https://economictimes.indiatimes.com/tech/ites/over-53000-cyber-security-incidents-observed-in- 2017/articleshow/62852008.cms
- Did you know? Source: State of Application Security – Forrester 2018 https://www.forrester.com/report/...State...Application+Security+2018/-/E-RES141676
- Did you know? Source: “The State of Open Source Security,” Snyk, 2017
- What is DevSecOps? Infusing Security practices that lead to While still retaining the core DevOps benefits of Faster Release Cycles Early Defect Detection Lesser Deployment Failures and Rollbacks ReducedTime to Recover upon Failure
- But, we have security related NFR in our backlog Isn’t that enough? By 2021, DevSecOps will be embedded into 80% of rapid development teams Source: https://www.gartner.com/doc/3811369/-things-right-successful-devsecops
- Needs changes across People Processes Tools Governance Implementing DevSecOps
- Security is everyone’s business… … Not just of Security & Compliance teams Culture that encourages “Security as a code” Equip developers on concepts of secure coding People
- Practice “SecureSDLC” Update your SDLC processes and practices to include Security Epics and User Stories in the backlog Security criteria included in Definition of Done for the sprint Secure coding practices as part ofTechnical Debt measurements Security testing embedded in the testing cycles Processes
- Select from wide range of available tools Tools &Technology Cloudwatch Alarm Docker Bench Amazon Inspector gitrob
- Don’t forget to govern Governance Security Officer Security Architect (Value Stream 1) DevSecOps Engg (Release Train 1) DevSecOps Engg (Release Train 2) Security Architect (Portfolio) DevSecOps Engg 1 DevSecOps Engg 2 DevSecOps Platform Architect Dedicated Roles and Ceremonies Security Huddle Meetings / Security Chapter Leads / DevSecOps Engineers
- Typical DevOps pipeline Typical DevOps pipeline Story boarding Coding Integrate Test Deploy Monitor
- Typical DevSecOps pipeline Security NFR Story boarding • Threat Modelling • Security Backlog Security Consultation Coding Security in DoD • IDE Security Plugin • Code reviews • Regular Expression Analysis Integrate Analyse • StaticApplication Security Testing(SAST) • WebServices • Automated SecurityTests Early Detection (Shift-Left) Test Scan • Dynamic Application Security Testing(DAST) • DB SecurityTests • Automated SecurityTests Outside-In Hacker Style Deploy Inspect • Config Management • PenTesting • Compliance & Audit Exploit Vulnerabilities Monitor Continuous • Monitoring and alerting(Intrusion/A pp attack) • BCP/DR • Audit & compliance Continuously Improve Security Consultation Early Detection (Shift-Left) Outside-In Hacker Style Exploit Vulnerabilities Security Consultation Early Detection (Shift-Left)
- Thank You https://www.linkedin.com/in/arcjoshi Note:The views represented in the presentation are solely of the author and do not represent those of the company / clients she is associated with
Anúncio