SlideShare uma empresa Scribd logo

Devops Indonesia - DevSecOps - The Open Source Way

Yusuf Hadiwinata Sutandar
Yusuf Hadiwinata Sutandar

Presentasi membahas penerapan opensource Tools pada DevSecOps

Tecnologia
1 de 60
Baixar para ler offline
PAGE1 DEVOPS INDONESIA DEVOPS INDONESIA Jakarta, 26 September 2018 DevSecOps: The Open Source Way DevOps Community in Indonesia
PAGE3 DEVOPS INDONESIA DEVOPS INDONESIA HOUSE RULES 100% ATTENTION TAKE NOTES, NOT CALLS RECEIVE KNOWLEDGE, NOT MESSAGES MUTE NOTIFICATIONS FOR SLACK QQ WHATSAPP IMESSAGE EMAIL TELEGRAM SNAPCHAT FACEBOOK WEIBO HANGOUTS VOXER SIGNAL G+ TWITTER VIBER SKYPE WECHAT LINE SMS ...
PAGE4 DEVOPS INDONESIA Let’s get know each other Let's get know each other
PAGE5 DEVOPS INDONESIA Linux Geek | OpenSource Enthusiast | Security Hobbies Yusuf Hadiwinata Sutandar
PAGE6 DEVOPS INDONESIA Managing risk in a volatile DevOps worldManaging risk in a volatile DevOps world
PAGE8 DEVOPS INDONESIA Raise You Hand! Who.. ...has heard of Docker?
PAGE9 DEVOPS INDONESIA ...knows what Docker is?
PAGE10 DEVOPS INDONESIA ...has tried Docker? or ...uses Docker?
PAGE11 DEVOPS INDONESIA ...uses Docker in production? ...with additional tools?
PAGE12 DEVOPS INDONESIA ...or even implement DevSecOps? Or SecDevOps.. DevOpsSec?!! Or maybe SecDevSecOpsSec?
PAGE13 DEVOPS INDONESIA WHY DevSecOps?WHY DevSecOps? ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? Are practitioners skipping security? ● DevSecOps practitioners say it’s about how to continuously integrate and automate security at scale ● Goal: ● Protecting private User-data/Company daya ● Restricting access ● Standar Compliance
PAGE14 DEVOPS INDONESIA
PAGE15 DEVOPS INDONESIA
PAGE16 DEVOPS INDONESIA GLASS HALF EMPTY, GLASS HALF FULLGLASS HALF EMPTY, GLASS HALF FULL “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
PAGE17 DEVOPS INDONESIA Security is seen as an inhibitor to DevOpsSecurity is seen as an inhibitor to DevOps ● Security infrastructure has lagged in its ability to become ‘software defined’ and programmable, making it difficult to integrate... ● Modern applications are largely ‘assembled,’ not developed, and developers often download and use known vulnerable open-source components and frameworks
PAGE18 DEVOPS INDONESIA Applications are ‘assembled’...Applications are ‘assembled’... ...utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Data shows enterprises consumed an average 229,000 software components annually, of which 17,000 had a known security vulnerability
PAGE19 DEVOPS INDONESIA THE PERFECT STORMTHE PERFECT STORM ● Cloud ● DevOps ● Open Source Software innovation explosion ● Containers/Microservices ● Digital transformation
PAGE20 DEVOPS INDONESIA YOU MANAGE RISK BYYOU MANAGE RISK BY ● Securing the Assets/Infra ● Securing the Dev ● Securing the Ops ● Securing the APIs
PAGE21 DEVOPS INDONESIA SECURING THE ASSETSSECURING THE ASSETS ● Building code ● Watching for changes in how things get built ● Signing the builds ● Built assets ● Scripts, binaries, packages (RPMs), containers ● (OCI images), machine images (ISOs, etc.) ● Registries (Service, Container, App) ● Repositories (Local on host images assets)
PAGE22 DEVOPS INDONESIA SECURING THE SOFTWARESECURING THE SOFTWARE ASSETS - E.G. IMAGEASSETS - E.G. IMAGE REGISTRYREGISTRY ● Public and private registries ● Do you require a private registry? ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? ● Who can push images to the ● registry?
PAGE23 DEVOPS INDONESIA SECURING THE ASSETSSECURING THE ASSETS HEALTH - Security freshness ● Freshness Grade for container security. ● Monitor image registry to automatically replace affected images ● Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment
PAGE24 DEVOPS INDONESIA SECURING THESECURING THE DEVELOPMENT PROCESSDEVELOPMENT PROCESS ● Potentially lots of parallel builds ● Source code ● Where is it coming from? ● Who is it coming from? ● Supply Chain Tooling ● CI tools (e.g. Jenkins) ● Testing tools ● Scanning Tools (e.g. Black Duck, Sonatype)
PAGE26 DEVOPS INDONESIA SECURING THESECURING THE OPERATIONSOPERATIONS Deployment ● Trusted registries and repos ● Signature authenticating and authorizing ● Image scanning ● Policies ● Ongoing assessment with automated remediation
PAGE27 DEVOPS INDONESIA SECURING THESECURING THE OPERATIONSOPERATIONS Lifecycle ● Blue Green or A/B or Canary, continuous deployments ● Monitoring deployments ● Possibly multiple environments
PAGE28 DEVOPS INDONESIA Modern Architectures are API driven requiring a DevOps approach to API management. Visibility, routing, and authorization are key security concerns.
PAGE32 DEVOPS INDONESIA
PAGE33 DEVOPS INDONESIA
PAGE34 DEVOPS INDONESIA
PAGE35 DEVOPS INDONESIA
PAGE36 DEVOPS INDONESIA
PAGE37 DEVOPS INDONESIA
PAGE38 DEVOPS INDONESIA
PAGE39 DEVOPS INDONESIA
PAGE40 DEVOPS INDONESIA
PAGE42 DEVOPS INDONESIA Plan - Thread Modeling ToolsPlan - Thread Modeling Tools OWASP Threat Dragon Project Threat Dragon is a free, open-source threat modeling tool from OWASP. It can be used as a standalone desktop app for Windows and MacOS (Linux coming soon) or as a web application. The desktop app is great if you want to try the application without giving it access to your GitHub repos, but if you choose the online version you get to unleash the awesome power of GitHub on your threat models! Obviously, to do this you need to log in first.. https://github.com/appsecco/owasp-threat-dragon-gitlab
PAGE43 DEVOPS INDONESIA
PAGE44 DEVOPS INDONESIA Docker Host Security ComplianceDocker Host Security Compliance
PAGE45 DEVOPS INDONESIA Security Automation for Containers and VMsSecurity Automation for Containers and VMs with OpenSCAPwith OpenSCAP SCAP is a set of specifications related to security automation. SCAP is used to improve security posture - hardening and finding vulnerabilities—as well as regulatory reasons https://github.com/dstraub/satellite-plugin https://github.com/RedHatSatellite/soe-ci https://servicesblog.redhat.com/2017/06/12/standard-operating-environment- part-iii-a-reference-implementation/
PAGE46 DEVOPS INDONESIA API-aware Networking and SecurityAPI-aware Networking and Security Cilium brings API-aware network security filtering to Linux container frameworks like Docker and Kubernetes. Using a new Linux kernel technology called BPF, Cilium provides a simple and efficient way to define and enforce both network-layer and application-layer security policies based on container/pod identity.
PAGE47 DEVOPS INDONESIA Secure container-aware credentials storage,Secure container-aware credentials storage, trust management.trust management. HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a- service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more. https://github.com/jenkinsci/hashicorp-vault- plugin
PAGE48 DEVOPS INDONESIA
PAGE49 DEVOPS INDONESIA Static source-code analysis / static applicationStatic source-code analysis / static application security testing (sast)security testing (sast) Brakeman - Rails Security Scanner Static analysis security scanner for Ruby on Rail https://jenkins.io/doc/pipeline/steps/brakeman/ https://jenkins.io/blog/2016/08/10/rails-cd-with-pipeline/
PAGE50 DEVOPS INDONESIA Static source-code analysis / static applicationStatic source-code analysis / static application security testing (sast)security testing (sast) SonarQube is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages https://docs.sonarqube.org/display/SCAN/Analy zing+with+SonarQube+Scanner+for+Jenkins https://www.owasp.org/index.php/Source_Code _Analysis_Tools
PAGE51 DEVOPS INDONESIA
PAGE52 DEVOPS INDONESIA Static Application Security Testing (SAST)Static Application Security Testing (SAST) Clair: The Container Image Security Analyzer Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker). https://github.com/benfab/clair-demo Integrate the image scanning into Jenkins pipelines with clairctl Clairctl is a lightweight command-line tool doing the bridge between Registries as Docker Hub, Docker Registry or Quay.io, and the CoreOS vulnerability tracker, Clair. Clairctl will play as reverse proxy for authentication. https://github.com/jgsqware/clairctl Jenkins CI Image Vulnerability Scan https://github.com/protacon/ci-image-vulnerability-scan https://github.com/jgsqware/clairctl
PAGE53 DEVOPS INDONESIA Dynamic Application Security Testing (DAST)Dynamic Application Security Testing (DAST) OWASP Zed Attack Proxy Project is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. https://plugins.jenkins.io/zapper https://wiki.jenkins.io/display/JENKINS/Zapper+Plugin https://youtu.be/xMLb7BDdfNo
PAGE54 DEVOPS INDONESIA Dynamic Application Security Testing (DAST)Dynamic Application Security Testing (DAST) Free, Simple, Distributed, Intelligent, Powerful, Friendly. Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications. https://blog.secodis.com/2016/03/17/automated- security-tests-3-jenkins-arachni-threadfix/ https://wiki.jenkins.io/display/JENKINS/Arachni+Scan ner+plugin
PAGE55 DEVOPS INDONESIA
PAGE56 DEVOPS INDONESIA Mobile Application Security Testing (MAST)Mobile Application Security Testing (MAST) Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. https://medium.com/@omerlh/how-to-continuously-hacking-your-app-c8b32d1633ad https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/10.-MobSF-CI-CD
PAGE57 DEVOPS INDONESIA
PAGE58 DEVOPS INDONESIA Security FrameworkSecurity Framework Managed Ecosystem for Secure Operations SIMP is an Open Source, fully automated, and extensively tested framework that can either enhance your existing infrastructure or allow you to quickly build one from scratch. Built on the mature Puppet product suite, SIMP is designed around scalability, flexibility, and compliance.
PAGE59 DEVOPS INDONESIA Container Security FrameworkContainer Security Framework NIST Special Publication 800-190: Application Container Security Guide Access Control; Configuration Management; System and Communications Protection; System and Information Integrity; Audit and Accountability; Awareness and Training; Identification and Authentication; Incident Response; Risk Assessment; https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf
PAGE60 DEVOPS INDONESIA BRINGING IT ALL TOGETHERBRINGING IT ALL TOGETHER
PAGE61 DEVOPS INDONESIA Homework!!Homework!!
PAGE62 DEVOPS INDONESIA Continues learning DevSecOps conceptsContinues learning DevSecOps concepts OWASP DevSecOps Studio Project DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. Features: ● Easy to setup environment with just one command “vagrant up” ● Teaches Security as Code, Compliance as Code, Infrastructure as Code ● With built-in support for CI/CD pipeline ● OS hardening using ansible ● Compliance as code using Inspec ● QA security using ZAP, BDD-Security and Gauntlt ● Static tools like bandit, brakeman, windbags, gitrob, gitsecrets ● Security Monitoring using ELK stack.
PAGE63 DEVOPS INDONESIA BRINGING IT ALL TOGETHERBRINGING IT ALL TOGETHER ● Git server to store code and infrastructure (as code). ● CI/CD pipeline to embed security as part CI/CD like SAST, DAST, hardening, compliance etc., ● Add Security tools as jobs. ● Analyze and fix the issues found. https://github.com/teacheraio/DevSecOps-Studio/wiki
PAGE65 DEVOPS INDONESIA Question???Question???
PAGE66 DEVOPS INDONESIA linkedin.com/in/yusufhadiwinata/ https://www.meetup.com/Docker-Indonesia/ Stay Connected @devopsindonesia facebook.com/yusuf.hadiwinata www.devopsindonesia.com linkedin.com/in/mademulia/ https://www.meetup.com/DevOps-Indonesia
PAGE67 DEVOPS INDONESIA Are You Awesome?Are You Awesome? We are Hiring !We are Hiring ! CheckCheck https://t.me/IDDevOpshttps://t.me/IDDevOps for detailfor detail
PAGE68 DEVOPS INDONESIA Alone We are smart, together We are brilliant THANK YOU ! Quote by Steve Anderson

Recomendados

Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
DevSecOps: Finding the Adversaries in our Midst
DevSecOps: Finding the Adversaries in our MidstDevSecOps: Finding the Adversaries in our Midst
DevSecOps: Finding the Adversaries in our MidstDevOps.com
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 

Recomendados

Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureStefan Streichsbier
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
DevSecOps: Finding the Adversaries in our Midst
DevSecOps: Finding the Adversaries in our MidstDevSecOps: Finding the Adversaries in our Midst
DevSecOps: Finding the Adversaries in our MidstDevOps.com
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...Agile Testing Alliance
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataHananto Wibowo Soenarto
 
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia
 

Mais conteúdo relacionado

Mais procurados

The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...Agile Testing Alliance
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 

Mais procurados (20)

The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
 
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOps
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
 

Semelhante a Devops Indonesia - DevSecOps - The Open Source Way

DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataHananto Wibowo Soenarto
 
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of dockerJohn Zaccone
 
Docker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationDocker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationAlex Vranceanu
 
Java Development Company | Xicom
Java Development Company | XicomJava Development Company | Xicom
Java Development Company | XicomRyanForeman5
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOpsDaniel Oh
 
Tampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerTampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerSakari Hoisko
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseOpsta
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenryDevSecCon
 
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...PROIDEA
 
Top 10 Best DevOps tools in 2020
Top 10 Best DevOps tools in 2020Top 10 Best DevOps tools in 2020
Top 10 Best DevOps tools in 2020prafulIQBusiness
 
DockerDay2015: Keynote
DockerDay2015: KeynoteDockerDay2015: Keynote
DockerDay2015: KeynoteDocker-Hanoi
 
DevOps Indonesia #2 - Toolchain & Technology
DevOps Indonesia #2 - Toolchain & TechnologyDevOps Indonesia #2 - Toolchain & Technology
DevOps Indonesia #2 - Toolchain & TechnologyDevOps Indonesia
 

Semelhante a Devops Indonesia - DevSecOps - The Open Source Way (20)

DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
 
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOps
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
 
Docker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationDocker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - Presentation
 
Java Development Company | Xicom
Java Development Company | XicomJava Development Company | Xicom
Java Development Company | Xicom
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
[muCon2017]DevSecOps: How to Continuously Integrate Security into DevOps
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
Tampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday DockerTampere Docker meetup - Happy 5th Birthday Docker
Tampere Docker meetup - Happy 5th Birthday Docker
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
The Future of Cloud Innovation, featuring Adrian Cockcroft
The Future of Cloud Innovation, featuring Adrian CockcroftThe Future of Cloud Innovation, featuring Adrian Cockcroft
The Future of Cloud Innovation, featuring Adrian Cockcroft
 
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
 
Top 10 Best DevOps tools in 2020
Top 10 Best DevOps tools in 2020Top 10 Best DevOps tools in 2020
Top 10 Best DevOps tools in 2020
 
DockerDay2015: Keynote
DockerDay2015: KeynoteDockerDay2015: Keynote
DockerDay2015: Keynote
 
DevOps Indonesia #2 - Toolchain & Technology
DevOps Indonesia #2 - Toolchain & TechnologyDevOps Indonesia #2 - Toolchain & Technology
DevOps Indonesia #2 - Toolchain & Technology
 

Mais de Yusuf Hadiwinata Sutandar

LOUCA23 Yusuf Hadiwinata Linux Security BestPractice
LOUCA23 Yusuf Hadiwinata Linux Security BestPracticeLOUCA23 Yusuf Hadiwinata Linux Security BestPractice
LOUCA23 Yusuf Hadiwinata Linux Security BestPracticeYusuf Hadiwinata Sutandar
 
March of the Penguin - 31 years Linux Snapshot
March of the Penguin - 31 years Linux SnapshotMarch of the Penguin - 31 years Linux Snapshot
March of the Penguin - 31 years Linux SnapshotYusuf Hadiwinata Sutandar
 
Choose the Right Container Storage for Kubernetes
Choose the Right Container Storage for KubernetesChoose the Right Container Storage for Kubernetes
Choose the Right Container Storage for KubernetesYusuf Hadiwinata Sutandar
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
PHPIDOL#80: Kubernetes 101 for PHP Developer. Yusuf Hadiwinata - VP Operation...
PHPIDOL#80: Kubernetes 101 for PHP Developer. Yusuf Hadiwinata - VP Operation...PHPIDOL#80: Kubernetes 101 for PHP Developer. Yusuf Hadiwinata - VP Operation...
PHPIDOL#80: Kubernetes 101 for PHP Developer. Yusuf Hadiwinata - VP Operation...Yusuf Hadiwinata Sutandar
 
Kubernetes Jakarta Meetup 010 - Service Mesh Observability with Kiali
Kubernetes Jakarta Meetup 010 - Service Mesh Observability with KialiKubernetes Jakarta Meetup 010 - Service Mesh Observability with Kiali
Kubernetes Jakarta Meetup 010 - Service Mesh Observability with KialiYusuf Hadiwinata Sutandar
 
Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Yusuf Hadiwinata Sutandar
 
Devops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring FrameworkDevops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring FrameworkYusuf Hadiwinata Sutandar
 
Journey to the devops automation with docker kubernetes and openshift
Journey to the devops automation with docker kubernetes and openshiftJourney to the devops automation with docker kubernetes and openshift
Journey to the devops automation with docker kubernetes and openshiftYusuf Hadiwinata Sutandar
 
create auto scale jboss cluster with openshift
create auto scale jboss cluster with openshiftcreate auto scale jboss cluster with openshift
create auto scale jboss cluster with openshiftYusuf Hadiwinata Sutandar
 

Mais de Yusuf Hadiwinata Sutandar (20)

LOUCA23 Yusuf Hadiwinata Linux Security BestPractice
LOUCA23 Yusuf Hadiwinata Linux Security BestPracticeLOUCA23 Yusuf Hadiwinata Linux Security BestPractice
LOUCA23 Yusuf Hadiwinata Linux Security BestPractice
 
How DevOps works in the Enterprise
How DevOps works in the EnterpriseHow DevOps works in the Enterprise
How DevOps works in the Enterprise
 
Acronis Meet and Learn
Acronis Meet and LearnAcronis Meet and Learn
Acronis Meet and Learn
 
BiznetGio Presentation Business Continuity
BiznetGio Presentation Business ContinuityBiznetGio Presentation Business Continuity
BiznetGio Presentation Business Continuity
 
March of the Penguin - 31 years Linux Snapshot
March of the Penguin - 31 years Linux SnapshotMarch of the Penguin - 31 years Linux Snapshot
March of the Penguin - 31 years Linux Snapshot
 
Choose the Right Container Storage for Kubernetes
Choose the Right Container Storage for KubernetesChoose the Right Container Storage for Kubernetes
Choose the Right Container Storage for Kubernetes
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
PHPIDOL#80: Kubernetes 101 for PHP Developer. Yusuf Hadiwinata - VP Operation...
PHPIDOL#80: Kubernetes 101 for PHP Developer. Yusuf Hadiwinata - VP Operation...PHPIDOL#80: Kubernetes 101 for PHP Developer. Yusuf Hadiwinata - VP Operation...
PHPIDOL#80: Kubernetes 101 for PHP Developer. Yusuf Hadiwinata - VP Operation...
 
Kubernetes Jakarta Meetup 010 - Service Mesh Observability with Kiali
Kubernetes Jakarta Meetup 010 - Service Mesh Observability with KialiKubernetes Jakarta Meetup 010 - Service Mesh Observability with Kiali
Kubernetes Jakarta Meetup 010 - Service Mesh Observability with Kiali
 
Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018Protecting National Critical Infrastructure Asiangames 2018
Protecting National Critical Infrastructure Asiangames 2018
 
Devops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring FrameworkDevops Indonesia Presentation Monitoring Framework
Devops Indonesia Presentation Monitoring Framework
 
Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database Security
 
Biznet Gio Presentation - Cloud Computing
Biznet Gio Presentation - Cloud ComputingBiznet Gio Presentation - Cloud Computing
Biznet Gio Presentation - Cloud Computing
 
Bssn book security awarness
Bssn book security awarnessBssn book security awarness
Bssn book security awarness
 
Job vacancies cti group
Job vacancies cti groupJob vacancies cti group
Job vacancies cti group
 
Devops indonesia - The Future Container
Devops indonesia - The Future ContainerDevops indonesia - The Future Container
Devops indonesia - The Future Container
 
Journey to the devops automation with docker kubernetes and openshift
Journey to the devops automation with docker kubernetes and openshiftJourney to the devops automation with docker kubernetes and openshift
Journey to the devops automation with docker kubernetes and openshift
 
War of Openstack Private Cloud Distribution
War of Openstack Private Cloud DistributionWar of Openstack Private Cloud Distribution
War of Openstack Private Cloud Distribution
 
create auto scale jboss cluster with openshift
create auto scale jboss cluster with openshiftcreate auto scale jboss cluster with openshift
create auto scale jboss cluster with openshift
 
Docker handons-workshop-for-charity
Docker handons-workshop-for-charityDocker handons-workshop-for-charity
Docker handons-workshop-for-charity
 

Último

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Último (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Devops Indonesia - DevSecOps - The Open Source Way

  • 1. PAGE1 DEVOPS INDONESIA DEVOPS INDONESIA Jakarta, 26 September 2018 DevSecOps: The Open Source Way DevOps Community in Indonesia
  • 2. PAGE3 DEVOPS INDONESIA DEVOPS INDONESIA HOUSE RULES 100% ATTENTION TAKE NOTES, NOT CALLS RECEIVE KNOWLEDGE, NOT MESSAGES MUTE NOTIFICATIONS FOR SLACK QQ WHATSAPP IMESSAGE EMAIL TELEGRAM SNAPCHAT FACEBOOK WEIBO HANGOUTS VOXER SIGNAL G+ TWITTER VIBER SKYPE WECHAT LINE SMS ...
  • 3. PAGE4 DEVOPS INDONESIA Let’s get know each other Let's get know each other
  • 4. PAGE5 DEVOPS INDONESIA Linux Geek | OpenSource Enthusiast | Security Hobbies Yusuf Hadiwinata Sutandar
  • 5. PAGE6 DEVOPS INDONESIA Managing risk in a volatile DevOps worldManaging risk in a volatile DevOps world
  • 9. PAGE11 DEVOPS INDONESIA ...uses Docker in production? ...with additional tools?
  • 10. PAGE12 DEVOPS INDONESIA ...or even implement DevSecOps? Or SecDevOps.. DevOpsSec?!! Or maybe SecDevSecOpsSec?
  • 11. PAGE13 DEVOPS INDONESIA WHY DevSecOps?WHY DevSecOps? ● DevOps “purists” point out that security was always part of DevOps ● Did people just not read the book? Are practitioners skipping security? ● DevSecOps practitioners say it’s about how to continuously integrate and automate security at scale ● Goal: ● Protecting private User-data/Company daya ● Restricting access ● Standar Compliance
  • 14. PAGE16 DEVOPS INDONESIA GLASS HALF EMPTY, GLASS HALF FULLGLASS HALF EMPTY, GLASS HALF FULL “... we estimate that fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives; and fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.” “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.” DevSecOps: How to Seemlessly Integrate Security Into DevOps, Gartner Inc. September 2016
  • 15. PAGE17 DEVOPS INDONESIA Security is seen as an inhibitor to DevOpsSecurity is seen as an inhibitor to DevOps ● Security infrastructure has lagged in its ability to become ‘software defined’ and programmable, making it difficult to integrate... ● Modern applications are largely ‘assembled,’ not developed, and developers often download and use known vulnerable open-source components and frameworks
  • 16. PAGE18 DEVOPS INDONESIA Applications are ‘assembled’...Applications are ‘assembled’... ...utilizing billions of available libraries, frameworks and utilities ● Not all are created equal, some are healthy and some are not ● All go bad over time, they age like milk, not like wine ● Data shows enterprises consumed an average 229,000 software components annually, of which 17,000 had a known security vulnerability
  • 17. PAGE19 DEVOPS INDONESIA THE PERFECT STORMTHE PERFECT STORM ● Cloud ● DevOps ● Open Source Software innovation explosion ● Containers/Microservices ● Digital transformation
  • 18. PAGE20 DEVOPS INDONESIA YOU MANAGE RISK BYYOU MANAGE RISK BY ● Securing the Assets/Infra ● Securing the Dev ● Securing the Ops ● Securing the APIs
  • 19. PAGE21 DEVOPS INDONESIA SECURING THE ASSETSSECURING THE ASSETS ● Building code ● Watching for changes in how things get built ● Signing the builds ● Built assets ● Scripts, binaries, packages (RPMs), containers ● (OCI images), machine images (ISOs, etc.) ● Registries (Service, Container, App) ● Repositories (Local on host images assets)
  • 20. PAGE22 DEVOPS INDONESIA SECURING THE SOFTWARESECURING THE SOFTWARE ASSETS - E.G. IMAGEASSETS - E.G. IMAGE REGISTRYREGISTRY ● Public and private registries ● Do you require a private registry? ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? ● Who can push images to the ● registry?
  • 21. PAGE23 DEVOPS INDONESIA SECURING THE ASSETSSECURING THE ASSETS HEALTH - Security freshness ● Freshness Grade for container security. ● Monitor image registry to automatically replace affected images ● Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment
  • 22. PAGE24 DEVOPS INDONESIA SECURING THESECURING THE DEVELOPMENT PROCESSDEVELOPMENT PROCESS ● Potentially lots of parallel builds ● Source code ● Where is it coming from? ● Who is it coming from? ● Supply Chain Tooling ● CI tools (e.g. Jenkins) ● Testing tools ● Scanning Tools (e.g. Black Duck, Sonatype)
  • 23. PAGE26 DEVOPS INDONESIA SECURING THESECURING THE OPERATIONSOPERATIONS Deployment ● Trusted registries and repos ● Signature authenticating and authorizing ● Image scanning ● Policies ● Ongoing assessment with automated remediation
  • 24. PAGE27 DEVOPS INDONESIA SECURING THESECURING THE OPERATIONSOPERATIONS Lifecycle ● Blue Green or A/B or Canary, continuous deployments ● Monitoring deployments ● Possibly multiple environments
  • 25. PAGE28 DEVOPS INDONESIA Modern Architectures are API driven requiring a DevOps approach to API management. Visibility, routing, and authorization are key security concerns.
  • 35. PAGE42 DEVOPS INDONESIA Plan - Thread Modeling ToolsPlan - Thread Modeling Tools OWASP Threat Dragon Project Threat Dragon is a free, open-source threat modeling tool from OWASP. It can be used as a standalone desktop app for Windows and MacOS (Linux coming soon) or as a web application. The desktop app is great if you want to try the application without giving it access to your GitHub repos, but if you choose the online version you get to unleash the awesome power of GitHub on your threat models! Obviously, to do this you need to log in first.. https://github.com/appsecco/owasp-threat-dragon-gitlab
  • 37. PAGE44 DEVOPS INDONESIA Docker Host Security ComplianceDocker Host Security Compliance
  • 38. PAGE45 DEVOPS INDONESIA Security Automation for Containers and VMsSecurity Automation for Containers and VMs with OpenSCAPwith OpenSCAP SCAP is a set of specifications related to security automation. SCAP is used to improve security posture - hardening and finding vulnerabilities—as well as regulatory reasons https://github.com/dstraub/satellite-plugin https://github.com/RedHatSatellite/soe-ci https://servicesblog.redhat.com/2017/06/12/standard-operating-environment- part-iii-a-reference-implementation/
  • 39. PAGE46 DEVOPS INDONESIA API-aware Networking and SecurityAPI-aware Networking and Security Cilium brings API-aware network security filtering to Linux container frameworks like Docker and Kubernetes. Using a new Linux kernel technology called BPF, Cilium provides a simple and efficient way to define and enforce both network-layer and application-layer security policies based on container/pod identity.
  • 40. PAGE47 DEVOPS INDONESIA Secure container-aware credentials storage,Secure container-aware credentials storage, trust management.trust management. HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a- service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more. https://github.com/jenkinsci/hashicorp-vault- plugin
  • 42. PAGE49 DEVOPS INDONESIA Static source-code analysis / static applicationStatic source-code analysis / static application security testing (sast)security testing (sast) Brakeman - Rails Security Scanner Static analysis security scanner for Ruby on Rail https://jenkins.io/doc/pipeline/steps/brakeman/ https://jenkins.io/blog/2016/08/10/rails-cd-with-pipeline/
  • 43. PAGE50 DEVOPS INDONESIA Static source-code analysis / static applicationStatic source-code analysis / static application security testing (sast)security testing (sast) SonarQube is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages https://docs.sonarqube.org/display/SCAN/Analy zing+with+SonarQube+Scanner+for+Jenkins https://www.owasp.org/index.php/Source_Code _Analysis_Tools
  • 45. PAGE52 DEVOPS INDONESIA Static Application Security Testing (SAST)Static Application Security Testing (SAST) Clair: The Container Image Security Analyzer Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker). https://github.com/benfab/clair-demo Integrate the image scanning into Jenkins pipelines with clairctl Clairctl is a lightweight command-line tool doing the bridge between Registries as Docker Hub, Docker Registry or Quay.io, and the CoreOS vulnerability tracker, Clair. Clairctl will play as reverse proxy for authentication. https://github.com/jgsqware/clairctl Jenkins CI Image Vulnerability Scan https://github.com/protacon/ci-image-vulnerability-scan https://github.com/jgsqware/clairctl
  • 46. PAGE53 DEVOPS INDONESIA Dynamic Application Security Testing (DAST)Dynamic Application Security Testing (DAST) OWASP Zed Attack Proxy Project is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. https://plugins.jenkins.io/zapper https://wiki.jenkins.io/display/JENKINS/Zapper+Plugin https://youtu.be/xMLb7BDdfNo
  • 47. PAGE54 DEVOPS INDONESIA Dynamic Application Security Testing (DAST)Dynamic Application Security Testing (DAST) Free, Simple, Distributed, Intelligent, Powerful, Friendly. Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications. https://blog.secodis.com/2016/03/17/automated- security-tests-3-jenkins-arachni-threadfix/ https://wiki.jenkins.io/display/JENKINS/Arachni+Scan ner+plugin
  • 49. PAGE56 DEVOPS INDONESIA Mobile Application Security Testing (MAST)Mobile Application Security Testing (MAST) Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. https://medium.com/@omerlh/how-to-continuously-hacking-your-app-c8b32d1633ad https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/10.-MobSF-CI-CD
  • 51. PAGE58 DEVOPS INDONESIA Security FrameworkSecurity Framework Managed Ecosystem for Secure Operations SIMP is an Open Source, fully automated, and extensively tested framework that can either enhance your existing infrastructure or allow you to quickly build one from scratch. Built on the mature Puppet product suite, SIMP is designed around scalability, flexibility, and compliance.
  • 52. PAGE59 DEVOPS INDONESIA Container Security FrameworkContainer Security Framework NIST Special Publication 800-190: Application Container Security Guide Access Control; Configuration Management; System and Communications Protection; System and Information Integrity; Audit and Accountability; Awareness and Training; Identification and Authentication; Incident Response; Risk Assessment; https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf
  • 53. PAGE60 DEVOPS INDONESIA BRINGING IT ALL TOGETHERBRINGING IT ALL TOGETHER
  • 55. PAGE62 DEVOPS INDONESIA Continues learning DevSecOps conceptsContinues learning DevSecOps concepts OWASP DevSecOps Studio Project DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. Features: ● Easy to setup environment with just one command “vagrant up” ● Teaches Security as Code, Compliance as Code, Infrastructure as Code ● With built-in support for CI/CD pipeline ● OS hardening using ansible ● Compliance as code using Inspec ● QA security using ZAP, BDD-Security and Gauntlt ● Static tools like bandit, brakeman, windbags, gitrob, gitsecrets ● Security Monitoring using ELK stack.
  • 56. PAGE63 DEVOPS INDONESIA BRINGING IT ALL TOGETHERBRINGING IT ALL TOGETHER ● Git server to store code and infrastructure (as code). ● CI/CD pipeline to embed security as part CI/CD like SAST, DAST, hardening, compliance etc., ● Add Security tools as jobs. ● Analyze and fix the issues found. https://github.com/teacheraio/DevSecOps-Studio/wiki
  • 59. PAGE67 DEVOPS INDONESIA Are You Awesome?Are You Awesome? We are Hiring !We are Hiring ! CheckCheck https://t.me/IDDevOpshttps://t.me/IDDevOps for detailfor detail
  • 60. PAGE68 DEVOPS INDONESIA Alone We are smart, together We are brilliant THANK YOU ! Quote by Steve Anderson