O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Dev secops for real

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Próximos SlideShares
Implementing DevSecOps
Implementing DevSecOps
Carregando em…3
×

Confira estes a seguir

1 de 58 Anúncio

Dev secops for real

Baixar para ler offline

All DevOps practices work towards speeding up the cadence of software delivery within an organisation. This though should never come at cost - compromising security and compliance. We should actually work towards improving and embedding the security practices as part of the DevOps adoption.
Enter Rugged DevOps or DevSecOps. Continuous Assurance, shift-left and others are the new buzzwords of the moment, but their foundations are very solid.

So, beside Continuous Integration, Continuous Deployment, Continuous Delivery and Continuous Testing we should start looking at adding Continuous Assurance.

All DevOps practices work towards speeding up the cadence of software delivery within an organisation. This though should never come at cost - compromising security and compliance. We should actually work towards improving and embedding the security practices as part of the DevOps adoption.
Enter Rugged DevOps or DevSecOps. Continuous Assurance, shift-left and others are the new buzzwords of the moment, but their foundations are very solid.

So, beside Continuous Integration, Continuous Deployment, Continuous Delivery and Continuous Testing we should start looking at adding Continuous Assurance.

Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Dev secops for real (20)

Anúncio

Mais recentes (20)

Dev secops for real

  1. 1. Mohamed Radwan Principal DevOps Consultant Blog: www.mohamedradwan.com DevSecOps for Real!
  2. 2. Blog: www.mohamedradwan.com Twitter: @mradwan06
  3. 3. Mohamed Radwan www.mohamedradwan.com Activity Links http://mohamedradwan.com/ https://social.msdn.microsoft.com/profile/mohamed.radwan-mvp https://www.youtube.com/user/MRadwanMSF https://github.com/DevOpsFounder http://goo.gl/j8pD7U https://goo.gl/C48iey https://stackoverflow.com/users/386323/mohamed-radwan-mvp
  4. 4. Mohamed Radwan www.mohamedradwan.com Outline • Traditional Security Vs. DevSecOps (Rugged DevOps) • Security as a continuously varying state • Evolving DevOps • Continuous Practices & Shift Left • Security and Compliance within DevOps • Vulnerabilities overview • Overview about OWASP • High Overview Of Secure DevOps Kit for Azure • How to run different types of security scan ? • Azure Policy
  5. 5. Mohamed Radwan www.mohamedradwan.com Outline (P2) • Azure Policy and Release Management • Azure Blueprints • Microsoft Azure Security Centre • Automate Governance and Compliance • Continuous security validation within CI/CD pipeline • Passive penetration test VS. Active penetration test • Infrastructure validation • Track vulnerabilities • Demo
  6. 6. Mohamed Radwan www.mohamedradwan.com Traditional Security Vs. DevSecOps (Rugged DevOps)
  7. 7. Mohamed Radwan www.mohamedradwan.com Security as a continuously varying state • Continuous Integration (CI) • Continuous Deployment (CD) • Continuous Delivery (CD) • Continuous Testing (CT) • Continuous Assurance (CA)
  8. 8. Mohamed Radwan www.mohamedradwan.com
  9. 9. Mohamed Radwan www.mohamedradwan.com Develop Build Test Deploy Operate Continuous Practices & Shift Left SecuritySecurity Security Security Security
  10. 10. Mohamed Radwan www.mohamedradwan.com Verizon 2016 Data Breach Investigations Report In 2016, the distribution is very similar to last year, with the top 10 vulnerabilities accounting for 85% while they are very known due the lack of awareness and practices. The risk of OSS vulnerabilities
  11. 11. Mohamed Radwan www.mohamedradwan.com
  12. 12. Mohamed Radwan www.mohamedradwan.com
  13. 13. Mohamed Radwan www.mohamedradwan.com
  14. 14. Mohamed Radwan www.mohamedradwan.com Overview about OWASP Top 10 • Injection • Never trust any user input • Broken authentication • Sensitive data exposure • Broken access control • More….. hub
  15. 15. 18 Subscription Security (Policy,RBAC Config, etc.) Continuous Assurance Runbooks CICD Build/Release Extensions Log Analytics for Alerting & Monitoring Security IntelliSense. Security Verification Tests (SVTs) Cloud Risk Governance Provision security in subscription❶ Develop securely, spot check security via scripts ❷ Deploy securely from Azure DevOps Using Azure Pipelines build/release ❸ Periodically scan in production to watch for drift ❹Single security dashboard across DevOps stages ❺ Manage data-driven improvement to security ❻ High Overview Of Secure DevOps Kit for Azure Mohamed Radwan www.mohamedradwan.com
  16. 16. Mohamed Radwan www.mohamedradwan.com Security IntelliSense
  17. 17. Mohamed Radwan www.mohamedradwan.com SVTs Ad-hoc scan
  18. 18. Mohamed Radwan www.mohamedradwan.com SVTs Continuous Assurance scan
  19. 19. Mohamed Radwan www.mohamedradwan.com SVTs build/deployment scan using AzSK pipeline extension
  20. 20. Mohamed Radwan www.mohamedradwan.com Install AzSK
  21. 21. Mohamed Radwan www.mohamedradwan.com Commands of AzSK
  22. 22. Mohamed Radwan www.mohamedradwan.com SVTs Ad-hoc scan
  23. 23. Mohamed Radwan www.mohamedradwan.com Scan Subscription using AzSK
  24. 24. Mohamed Radwan www.mohamedradwan.com Scan result .CSV
  25. 25. Mohamed Radwan www.mohamedradwan.com Auto fix script
  26. 26. Mohamed Radwan www.mohamedradwan.com SVTs Continuous Assurance scan
  27. 27. Mohamed Radwan www.mohamedradwan.com Run Continuous Assurance scan for subscription using AzSK
  28. 28. Mohamed Radwan www.mohamedradwan.com SVTs build/deployment scan using AzSK pipeline extension
  29. 29. Mohamed Radwan www.mohamedradwan.com Check Security in CICD pipelines Code Complete Dev Envmt Test Envmt Prod Envmt
  30. 30. Mohamed Radwan www.mohamedradwan.com Azure Policy Enforce and Audit
  31. 31. Mohamed Radwan www.mohamedradwan.com Create and assign Azure Policy
  32. 32. Dev 1:n Developer environments ReleaseManagerse Production Environment ReleaseManagerse For Pre-Prod Like Usage With Real Data QA For Functionality Test (End-To- End) QA 1:n QA For Feature Test Quick review about deployemnt to enviroments Enviroments Approvers Mohamed Radwan www.mohamedradwan.com
  33. 33. ReleaseManagerse For Pre-Prod Like Usage With Real Data QA For Functionality Test (End-To- End) QA 1:n QA For Feature Test Sing-in and Sing-off process and automation Enviroments Approvers • Accept release to be deployed here • Accepted that this release has all prerequisites DoD • Accept to start working on this release • Approved this release is completed and ready for next stage • Next stage is ready and secure Sign-in Sign-off Mohamed Radwan www.mohamedradwan.com
  34. 34. Mohamed Radwan www.mohamedradwan.com Release Gate using Azure Policy
  35. 35. Mohamed Radwan www.mohamedradwan.com Policy violation failed release
  36. 36. Mohamed Radwan www.mohamedradwan.com AzSK pipeline extension (Release)
  37. 37. Mohamed Radwan www.mohamedradwan.com Azure Blueprints Deploy and update cloud environments in a repeatable manner using composable artifacts Role Based Access Controls Policy Definitions ARM Templates Azure Blueprints Subscription 1 Subscription 2 Subscription 3 Subscription N compose manage scale
  38. 38. Mohamed Radwan www.mohamedradwan.com Azure Blueprints Getting started
  39. 39. Mohamed Radwan www.mohamedradwan.com Centralized policy management Continuous security assessment Actionable recommendations Advanced cloud defenses. Prioritized alerts and incidents Integrated security solutions
  40. 40. Mohamed Radwan www.mohamedradwan.com
  41. 41. Mohamed Radwan www.mohamedradwan.com Automate Governance and Compliance Azure Policy Azure Blueprint Azure Automation Azure Pipelines AzSK Continuous Assurance
  42. 42. Mohamed Radwan www.mohamedradwan.com Continuous security validation within CI/CD pipeline Application CI /CD Nightly Test Runs CI Dev Static Code Analysis Code Review Work Item Linking Static Code Analysis OSS Vulnerability Scan Unit Tests Code Metrics Passive Pen Test SSL Scanner Infrastructure Scan Passive Pen Test SSL Scanner Infrastructure Scan Load and Performance Testing Automated Regression Testing Infrastructure Scan Active Pen Test Load and Performance Testing Automated Regression Testing Infrastructure Scan Feedback OSS Vulnerability Scan OSS License Violations Failed Unit Tests Static Code Rule Warnings Pen Test Issues SSL Issues Performance Issues Regression Bugs Infrastructure Issues Code Review Comments Static Code Rule Warnings Pen Test Issues SSL Issues Performance Issues Regression Bugs Infrastructure Issue Test IDE/Pull Request
  43. 43. Passive penetration test VS. Active penetration test Build Static Security Scan Deploy Package Passive Pentest Pull OWASP Zap Weekly Start Container Report Results Run Baseline (1 to 2 min) High Alerts – Fail Release All Alerts – Create Bugs Nightly Schedule Application Full Active Scan Pull OWASP Zap Weekly Start Container Spider Site High Alerts – Fail Release All Alerts – Create Bugs Run Active Scan Report Results Application CI/CD Pipeline Nightly OWASP ZAP Pipeline
  44. 44. Infrastructure validation Continuous Assurance Azure Scanner Whitelisted Endpoints and Ports Any non-whitelisted public endpoint/port detected will create a bug
  45. 45. Mohamed Radwan www.mohamedradwan.com Track vulnerabilities
  46. 46. Mohamed Radwan www.mohamedradwan.com SonarCloud
  47. 47. Mohamed Radwan www.mohamedradwan.com SonarCloud result
  48. 48. Mohamed Radwan www.mohamedradwan.com WhiteSource Bolt extension
  49. 49. Mohamed Radwan www.mohamedradwan.com WhiteSource Bolt result
  50. 50. Mohamed Radwan Principal DevOps Consultant Blog: www.mohamedradwan.com Thank you!

×