Dev secops for real

1. Mohamed Radwan Principal DevOps Consultant Blog: www.mohamedradwan.com DevSecOps for Real!

2. Blog: www.mohamedradwan.com Twitter: @mradwan06

3. Mohamed Radwan www.mohamedradwan.com Activity Links http://mohamedradwan.com/ https://social.msdn.microsoft.com/profile/mohamed.radwan-mvp https://www.youtube.com/user/MRadwanMSF https://github.com/DevOpsFounder http://goo.gl/j8pD7U https://goo.gl/C48iey https://stackoverflow.com/users/386323/mohamed-radwan-mvp

4. Mohamed Radwan www.mohamedradwan.com Outline • Traditional Security Vs. DevSecOps (Rugged DevOps) • Security as a continuously varying state • Evolving DevOps • Continuous Practices & Shift Left • Security and Compliance within DevOps • Vulnerabilities overview • Overview about OWASP • High Overview Of Secure DevOps Kit for Azure • How to run different types of security scan ? • Azure Policy

5. Mohamed Radwan www.mohamedradwan.com Outline (P2) • Azure Policy and Release Management • Azure Blueprints • Microsoft Azure Security Centre • Automate Governance and Compliance • Continuous security validation within CI/CD pipeline • Passive penetration test VS. Active penetration test • Infrastructure validation • Track vulnerabilities • Demo

6. Mohamed Radwan www.mohamedradwan.com Traditional Security Vs. DevSecOps (Rugged DevOps)

7. Mohamed Radwan www.mohamedradwan.com Security as a continuously varying state • Continuous Integration (CI) • Continuous Deployment (CD) • Continuous Delivery (CD) • Continuous Testing (CT) • Continuous Assurance (CA)

8. Mohamed Radwan www.mohamedradwan.com

9. Mohamed Radwan www.mohamedradwan.com Develop Build Test Deploy Operate Continuous Practices & Shift Left SecuritySecurity Security Security Security

10. Mohamed Radwan www.mohamedradwan.com Verizon 2016 Data Breach Investigations Report In 2016, the distribution is very similar to last year, with the top 10 vulnerabilities accounting for 85% while they are very known due the lack of awareness and practices. The risk of OSS vulnerabilities

14. Mohamed Radwan www.mohamedradwan.com Overview about OWASP Top 10 • Injection • Never trust any user input • Broken authentication • Sensitive data exposure • Broken access control • More….. hub

15. 18 Subscription Security (Policy,RBAC Config, etc.) Continuous Assurance Runbooks CICD Build/Release Extensions Log Analytics for Alerting & Monitoring Security IntelliSense. Security Verification Tests (SVTs) Cloud Risk Governance Provision security in subscription❶ Develop securely, spot check security via scripts ❷ Deploy securely from Azure DevOps Using Azure Pipelines build/release ❸ Periodically scan in production to watch for drift ❹Single security dashboard across DevOps stages ❺ Manage data-driven improvement to security ❻ High Overview Of Secure DevOps Kit for Azure Mohamed Radwan www.mohamedradwan.com

16. Mohamed Radwan www.mohamedradwan.com Security IntelliSense

17. Mohamed Radwan www.mohamedradwan.com SVTs Ad-hoc scan

18. Mohamed Radwan www.mohamedradwan.com SVTs Continuous Assurance scan

19. Mohamed Radwan www.mohamedradwan.com SVTs build/deployment scan using AzSK pipeline extension

20. Mohamed Radwan www.mohamedradwan.com Install AzSK

21. Mohamed Radwan www.mohamedradwan.com Commands of AzSK

22. Mohamed Radwan www.mohamedradwan.com SVTs Ad-hoc scan

23. Mohamed Radwan www.mohamedradwan.com Scan Subscription using AzSK

24. Mohamed Radwan www.mohamedradwan.com Scan result .CSV

25. Mohamed Radwan www.mohamedradwan.com Auto fix script

26. Mohamed Radwan www.mohamedradwan.com SVTs Continuous Assurance scan

27. Mohamed Radwan www.mohamedradwan.com Run Continuous Assurance scan for subscription using AzSK

28. Mohamed Radwan www.mohamedradwan.com SVTs build/deployment scan using AzSK pipeline extension

29. Mohamed Radwan www.mohamedradwan.com Check Security in CICD pipelines Code Complete Dev Envmt Test Envmt Prod Envmt

30. Mohamed Radwan www.mohamedradwan.com Azure Policy Enforce and Audit

31. Mohamed Radwan www.mohamedradwan.com Create and assign Azure Policy

32. Dev 1:n Developer environments ReleaseManagerse Production Environment ReleaseManagerse For Pre-Prod Like Usage With Real Data QA For Functionality Test (End-To- End) QA 1:n QA For Feature Test Quick review about deployemnt to enviroments Enviroments Approvers Mohamed Radwan www.mohamedradwan.com

33. ReleaseManagerse For Pre-Prod Like Usage With Real Data QA For Functionality Test (End-To- End) QA 1:n QA For Feature Test Sing-in and Sing-off process and automation Enviroments Approvers • Accept release to be deployed here • Accepted that this release has all prerequisites DoD • Accept to start working on this release • Approved this release is completed and ready for next stage • Next stage is ready and secure Sign-in Sign-off Mohamed Radwan www.mohamedradwan.com

34. Mohamed Radwan www.mohamedradwan.com Release Gate using Azure Policy

35. Mohamed Radwan www.mohamedradwan.com Policy violation failed release

36. Mohamed Radwan www.mohamedradwan.com AzSK pipeline extension (Release)

37. Mohamed Radwan www.mohamedradwan.com Azure Blueprints Deploy and update cloud environments in a repeatable manner using composable artifacts Role Based Access Controls Policy Definitions ARM Templates Azure Blueprints Subscription 1 Subscription 2 Subscription 3 Subscription N compose manage scale

38. Mohamed Radwan www.mohamedradwan.com Azure Blueprints Getting started

39. Mohamed Radwan www.mohamedradwan.com Centralized policy management Continuous security assessment Actionable recommendations Advanced cloud defenses. Prioritized alerts and incidents Integrated security solutions

41. Mohamed Radwan www.mohamedradwan.com Automate Governance and Compliance Azure Policy Azure Blueprint Azure Automation Azure Pipelines AzSK Continuous Assurance

42. Mohamed Radwan www.mohamedradwan.com Continuous security validation within CI/CD pipeline Application CI /CD Nightly Test Runs CI Dev Static Code Analysis Code Review Work Item Linking Static Code Analysis OSS Vulnerability Scan Unit Tests Code Metrics Passive Pen Test SSL Scanner Infrastructure Scan Passive Pen Test SSL Scanner Infrastructure Scan Load and Performance Testing Automated Regression Testing Infrastructure Scan Active Pen Test Load and Performance Testing Automated Regression Testing Infrastructure Scan Feedback OSS Vulnerability Scan OSS License Violations Failed Unit Tests Static Code Rule Warnings Pen Test Issues SSL Issues Performance Issues Regression Bugs Infrastructure Issues Code Review Comments Static Code Rule Warnings Pen Test Issues SSL Issues Performance Issues Regression Bugs Infrastructure Issue Test IDE/Pull Request

43. Passive penetration test VS. Active penetration test Build Static Security Scan Deploy Package Passive Pentest Pull OWASP Zap Weekly Start Container Report Results Run Baseline (1 to 2 min) High Alerts – Fail Release All Alerts – Create Bugs Nightly Schedule Application Full Active Scan Pull OWASP Zap Weekly Start Container Spider Site High Alerts – Fail Release All Alerts – Create Bugs Run Active Scan Report Results Application CI/CD Pipeline Nightly OWASP ZAP Pipeline

44. Infrastructure validation Continuous Assurance Azure Scanner Whitelisted Endpoints and Ports Any non-whitelisted public endpoint/port detected will create a bug

45. Mohamed Radwan www.mohamedradwan.com Track vulnerabilities

46. Mohamed Radwan www.mohamedradwan.com SonarCloud

47. Mohamed Radwan www.mohamedradwan.com SonarCloud result

48. Mohamed Radwan www.mohamedradwan.com WhiteSource Bolt extension

49. Mohamed Radwan www.mohamedradwan.com WhiteSource Bolt result

50. Mohamed Radwan Principal DevOps Consultant Blog: www.mohamedradwan.com Thank you!

Dev secops for real

Esté a ler uma amostra.

Confira estes a seguir

Dev secops for real

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Dev secops for real (20)

Mais recentes (20)