Practical DevSecOps

1. Practical DevSecOps
Arief Karfianto
IDSECCONF 2018

2. Agenda
• Background (15')
• DevSecOps in Action (15')
• Question and Answer (15')

3. Who am I?
Arief Karfianto
Information System Analyst
System Administrator
QA Engineer
App Designer
Web Developer

4. Where am I working?

5. IT Organization Profile
Information and Communication Management Division
1. Data and Information
• Statistical and Spatial Data, Information System
2. Infrastructure
• Data Center, Server, Network, Video Conference
3. Information Security
• Security Testing, ISMS
12 IT Employees

6. Development Life Cycle
V1 V3
• Email
• FTP
V2
– No Code Versioning
– No Development Env
– No Automation

7. Development Life Cycle
• Code Repository
• Development Server
• Scheduled Sync*
(DevOps)
V1 V2 V3
– No Automated Security
Testing
– Prod-Dev Difference
problems

8. Development Life Cycle
• Code Versioning
• Continuous Integration
• Automated Security Analysis
(DevSecOps)
V1 V2 V3

9. Competing Forces
Business
Development Security Operations
Build it
Faster! Make it
Secure!
Keep it
Stable!

11. Why Automation?
Reduce risk of human error
• Automation is effective
• Automation is reliable
• Automation is scalable

12. What is DevOps?
Culture Practice Tools
People Process Technology

13. Collaborative Work
Business
Development Security Operations
Build it faster, make it
secure and stable!

14. Collaborative Work
ü Continuous Communication
ü Continuous Feedback
ü Continuous Requirement
ü Continuous Fixes
§ Secure Coding (e.g.OWASP)
§ Coding Standard (e.g. PSR)
§ Release Management

15. What is DevSecOps?
1. Code Repository
2. Runner
3. Code Scanner
Push a new commit
to a branch
trigger
Dev Server
deploy to
Automated Testing and Deployment
Code Scanning
Script
Deployment
Script

16. GitLab CI Configuration (.gitlab-ci.yml)
stages:
- scan
- deploy
code_analysis:
stage: scan
image: docker-image-name
script:
- script_1
only:
- develop
deploy_to_dev:
stage: deploy
image: docker-image-name
script:
- script_2
only:
- develop

17. Architecture

18. DevSecOps in Action

19. Lessons Learned
• Some security vulnerabilities can be detected by suitable
tools
• Non-standard coding styles can be detected by the code
analyzer
• There can be a high rate of false positive detection
• The deployment process is quick
• It is important to combine the static analysis with dynamic
testing as some vulnerabilities are not easily detected through
the code analysis

20. Thank You!
@karfianto
blog.ictlab.org
au.linkedin.com/karfi