SlideShare a Scribd company logo
1 of 18
Download to read offline
DevSecOps
Deliver value faster safer
Peter Bink – September 2020
The DevXXXOps explosion
DataOps
DevSecOps
MLOps
GitOps
AIOps
DevDataOps
DesignOps
CloudOps
NoOps
WinOps
=
DevOps 2
DevTestOps
• Advanced Persistent Threat
Also lone wolves:
Gary McKinnon – “Your security is crap”
Source: https://www.varonis.com/blog/apt-groups/
Iran’s nuclear program
(Stuxnet) 2010
2014 – Sony
2016 – Bangladesh Bank
2017 - WannaCry
2016 – Hilary
Clinton
2019 –
Venezuelan
military
Cybercrime – who are they?
2019 – Toyota
data breach
FIG (fun, ideology, and grudge)
Other (errors, glitches, etc.)
And why do they do it?
Security Incidents – New Zealand
• NZX / Metservice / Mt Ruapehu parking / …?
• Lion brewery (AU) – website was changed so clients could order milk at a Sydney based consultancy firm. Lion
shut down their IT systems to stop the attack which impacted their supply.
• Blackbaud – US based provider of SaaS for a lot of universities worldwide, such as Auckland university. Data has
been stolen, ransom has been paid and data has been ‘destroyed’.
• The website of LPM Property Management - showed passports, drivers licenses, and other identity documents, of
New Zealanders and other nationalities.
• Contact details of people who have been in contact with New Zealand Police may have been breached.
• A KiwiSaver provider, Generate, has had its computer systems breached and the personal information of 26,000 of
its customers has been taken.
• …
• NZ Firearms register from NZ Police
• Tu Ora Compass health - Up to 1 million New Zealand patients' data breached in criminal cyber hack
2019
2020
“Applications are the weakest links”
53% of all breaches are caused by vulnerabilities in Applications
Source: 2020 State of application security, Forrester
Source: 2019 Data Breach Investigations Report, Verizon
‘Fun’ facts around data
breaches
Source: 2019 State of the software supply chain report, Sonatype
Source: 2020 State of application security, Forrester
Source: 2020 - 107 Must-Know Data Breach Statistics, Varonis
Source: 2019 Cost of a data breach report, IBM
Source: 2020 Top 5 cyber security stats, Cybersecurity ventures
“Open source continues to infect everything”
85% of your code is sourced from external suppliers
The average time to identify and contain a breach is 279 days
The average total cost of a data breach is $USD 3.92 Million
Cybercrime damage costs are predicted to hit US$ 6 trillion annually
Source: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Attack Example – 2017 Equifax data breach
US DOJ Indictment: https://www.justice.gov/opa/press-release/file/1246891/download
• In September 2017, credit reporting giant Equifax reported it had been hacked.
• 147.9 million people were affected (40% of US population).
• Names, date of births, drivers license numbers, and social security numbers
were stolen plus 200k credit card numbers.
• Cost Equifax 1.4 Billion.
• Attributed to the People’s Liberation Army (PLA),
the armed forces of the Peoples Republic of China.
• Specifically, the PLA’s 54th Research Institute, also
known as APT10.
• Apache struts vulnerability was not identified on the online dispute portal
• Attacker set up a web shell for persistence “Jquery1.3.2.min.jsp”
• Attacker was not detected immediately
• Individual databases were not segmented from each other
• Databases contained credentials for other servers/databases
US GAO Report: https://www.gao.gov/assets/700/694158.pdf
Attack Example – 2017 Equifax data breach
(CVE-2017-5638)
Attempts to exploit this vulnerability on your servers occur every day
(CVE-2017-5638)
Attack Example – 2017 Equifax data breach
‘Old’ way of working
Penetration testing provides assurance that a solution is secure in its
current state, at the current time, however:
• Any code change has the potential to introduce new vulnerabilities.
• Over time new vulnerabilities will be discovered in
libraries/frameworks.
• A security tester has a limited budget and limited time.
• It is expensive to fix issues or make design changes at the end of the
SDLC.
Finding & fixing security defects at the end of the SDLC
How to move security earlier in the SDLC??????
DevOps and security -
Challenges
• Continuous delivery / often deployments
o and the need for continuous security attention not always match
o and security architecture support for waterfall projects is not similar
• DevOps teams (autonomous) may lack security knowledge
• Use a lot of tooling, libraries and cloud may increase the security risks
• DevOps teams need the freedom to experiment to keep improving
• Empowered and autonomous team have a lot of rights
How this data breach could have been prevented:
Detecting Apache Struts CVE-2017-5638
• Library/Framework Vulnerability Scanning
• Container Vulnerability Scanning
• Static Application Security Testing
• Dynamic Application Security Testing
Designing systems that would be resilient to the Equifax attack
• Web Application Firewall & Virtual Patching
• Input Validation
• Restricting internet access on servers (Firewall/Proxy)
• OS/container Hardening
• Network Segmentation
• Secure Credential Storage (no passwords in databases)
• Ephemeral Environments
https://github.com/OWASP/ASVS
(CVE-2017-5638)
Attack Example – 2017 Equifax data breach
DevOps and security together:
DevSecOps
• Automated security checks can be built into the pipeline
• A lot of tools are available to address security concerns
• Sonarcube - SAST
• OWASP ZAP - DAST
• Whitesource Bolt - SCA
• Microsoft Security Code
• Codacy, Sonarcube, Snyk, Acunetix, logz.io, Contrast security, ….
• Organisations that have mature DevOps practices are 338% more likely
to integrate security across the SDLC (source: Sonatype DevSecOps community
survey 2018)
• Security patches and updates can be applied promptly
• Transparency and continuous improvement
• Long lived product teams: Security is everybody's responsibility
DevSecOps manifesto
Value things on the left over things on the right
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Source: https://www.devsecops.org/
What can be done in the
SDLC?
Shift left and right
Delivery
team
Version
control
Build Test Release Prod
Security training
Security requirements
Threat modelling
Architecture review
Code examples
OWASP Top 10
IDE plugins
Fail the build
SAST/DAST/IAST
Configuration analysis
Application module scanning
Threat modelling as unit test
Automated Pen testing
Static code analysis
Security policy testing
Configuration analysis
Security monitoring
Configuration monitoring
Solnet dev secops meetup
1. We are all responsible
So what is DevSecOps? ????
Questions
2. Engage InfoSec early and often
3. Use the right security tools right
‘Just’ DevOps….. with focus on
Stay safe!
We’re here to put our experience and know-how to work for
you and provide you with guidance. With us it’s about
collaboration and shared success.
Aotearoa is our home and we’ve been supporting enterprise
organisations for more than 15 years. We deliver advice and
solutions that work locally.
It’s critically important to us that you deliver successful
outcomes because there’s a great deal riding on it!
Deliver Value Faster Safer
• DevOps
• DevSecOps
• Site Reliability Engineering
Peter Bink
DevOps / DevSecOps
Grant Reid
DevOps / SRE
linkedin.com/in/grantreid/linkedin.com/in/peter-bink/
peter.bink@solnet.co.nz grant.reid@solnet.co.nz

More Related Content

What's hot

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
How to Rapidly Identify Assets at Risk to WannaCry Ransomware
How to Rapidly Identify Assets at Risk to WannaCry RansomwareHow to Rapidly Identify Assets at Risk to WannaCry Ransomware
How to Rapidly Identify Assets at Risk to WannaCry RansomwareQualys
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the CloudAlert Logic
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesSkybox Security
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryCR Group
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz Asia Pte Ltd
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeCristian Garcia G.
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionPriyanka Aash
 
Security Starts at the Endpoint
Security Starts at the EndpointSecurity Starts at the Endpoint
Security Starts at the EndpointElasticsearch
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised InsiderImperva
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?centralohioissa
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityMarketingArrowECS_CZ
 

What's hot (20)

Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
How to Rapidly Identify Assets at Risk to WannaCry Ransomware
How to Rapidly Identify Assets at Risk to WannaCry RansomwareHow to Rapidly Identify Assets at Risk to WannaCry Ransomware
How to Rapidly Identify Assets at Risk to WannaCry Ransomware
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS   IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 
Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection
 
Disección de amenazas en entornos de nube
Disección de amenazas en entornos de nubeDisección de amenazas en entornos de nube
Disección de amenazas en entornos de nube
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
Security Starts at the Endpoint
Security Starts at the EndpointSecurity Starts at the Endpoint
Security Starts at the Endpoint
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised Insider
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
 

Similar to Solnet dev secops meetup

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxtmbainjr131
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software SecuritydevObjective
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Security Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-ServiceSecurity Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-ServiceMarco Casassa Mont
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing securitySanjeev Sharma
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 

Similar to Solnet dev secops meetup (20)

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series Breakfast
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Security Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-ServiceSecurity Analytics & Security Intelligence-as-a-Service
Security Analytics & Security Intelligence-as-a-Service
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 seba
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
Eyes Wide Shut: Cybersecurity Smoke & Mirrors...
 

Recently uploaded

eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기Chiwon Song
 
Webinar - IA generativa e grafi Neo4j: RAG time!
Webinar - IA generativa e grafi Neo4j: RAG time!Webinar - IA generativa e grafi Neo4j: RAG time!
Webinar - IA generativa e grafi Neo4j: RAG time!Neo4j
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
Kubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptxKubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptxPrakarsh -
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 

Recently uploaded (20)

eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Sustainable Web Design - Claire Thornewill
Sustainable Web Design - Claire ThornewillSustainable Web Design - Claire Thornewill
Sustainable Web Design - Claire Thornewill
 
20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기
 
Webinar - IA generativa e grafi Neo4j: RAG time!
Webinar - IA generativa e grafi Neo4j: RAG time!Webinar - IA generativa e grafi Neo4j: RAG time!
Webinar - IA generativa e grafi Neo4j: RAG time!
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
Program with GUTs
Program with GUTsProgram with GUTs
Program with GUTs
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
Kubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptxKubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptx
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 

Solnet dev secops meetup

  • 1. DevSecOps Deliver value faster safer Peter Bink – September 2020
  • 3. • Advanced Persistent Threat Also lone wolves: Gary McKinnon – “Your security is crap” Source: https://www.varonis.com/blog/apt-groups/ Iran’s nuclear program (Stuxnet) 2010 2014 – Sony 2016 – Bangladesh Bank 2017 - WannaCry 2016 – Hilary Clinton 2019 – Venezuelan military Cybercrime – who are they? 2019 – Toyota data breach FIG (fun, ideology, and grudge) Other (errors, glitches, etc.) And why do they do it?
  • 4. Security Incidents – New Zealand • NZX / Metservice / Mt Ruapehu parking / …? • Lion brewery (AU) – website was changed so clients could order milk at a Sydney based consultancy firm. Lion shut down their IT systems to stop the attack which impacted their supply. • Blackbaud – US based provider of SaaS for a lot of universities worldwide, such as Auckland university. Data has been stolen, ransom has been paid and data has been ‘destroyed’. • The website of LPM Property Management - showed passports, drivers licenses, and other identity documents, of New Zealanders and other nationalities. • Contact details of people who have been in contact with New Zealand Police may have been breached. • A KiwiSaver provider, Generate, has had its computer systems breached and the personal information of 26,000 of its customers has been taken. • … • NZ Firearms register from NZ Police • Tu Ora Compass health - Up to 1 million New Zealand patients' data breached in criminal cyber hack 2019 2020
  • 5. “Applications are the weakest links” 53% of all breaches are caused by vulnerabilities in Applications Source: 2020 State of application security, Forrester Source: 2019 Data Breach Investigations Report, Verizon ‘Fun’ facts around data breaches Source: 2019 State of the software supply chain report, Sonatype Source: 2020 State of application security, Forrester Source: 2020 - 107 Must-Know Data Breach Statistics, Varonis Source: 2019 Cost of a data breach report, IBM Source: 2020 Top 5 cyber security stats, Cybersecurity ventures “Open source continues to infect everything” 85% of your code is sourced from external suppliers The average time to identify and contain a breach is 279 days The average total cost of a data breach is $USD 3.92 Million Cybercrime damage costs are predicted to hit US$ 6 trillion annually
  • 7. Attack Example – 2017 Equifax data breach US DOJ Indictment: https://www.justice.gov/opa/press-release/file/1246891/download • In September 2017, credit reporting giant Equifax reported it had been hacked. • 147.9 million people were affected (40% of US population). • Names, date of births, drivers license numbers, and social security numbers were stolen plus 200k credit card numbers. • Cost Equifax 1.4 Billion. • Attributed to the People’s Liberation Army (PLA), the armed forces of the Peoples Republic of China. • Specifically, the PLA’s 54th Research Institute, also known as APT10.
  • 8. • Apache struts vulnerability was not identified on the online dispute portal • Attacker set up a web shell for persistence “Jquery1.3.2.min.jsp” • Attacker was not detected immediately • Individual databases were not segmented from each other • Databases contained credentials for other servers/databases US GAO Report: https://www.gao.gov/assets/700/694158.pdf Attack Example – 2017 Equifax data breach (CVE-2017-5638)
  • 9. Attempts to exploit this vulnerability on your servers occur every day (CVE-2017-5638) Attack Example – 2017 Equifax data breach
  • 10. ‘Old’ way of working Penetration testing provides assurance that a solution is secure in its current state, at the current time, however: • Any code change has the potential to introduce new vulnerabilities. • Over time new vulnerabilities will be discovered in libraries/frameworks. • A security tester has a limited budget and limited time. • It is expensive to fix issues or make design changes at the end of the SDLC. Finding & fixing security defects at the end of the SDLC How to move security earlier in the SDLC??????
  • 11. DevOps and security - Challenges • Continuous delivery / often deployments o and the need for continuous security attention not always match o and security architecture support for waterfall projects is not similar • DevOps teams (autonomous) may lack security knowledge • Use a lot of tooling, libraries and cloud may increase the security risks • DevOps teams need the freedom to experiment to keep improving • Empowered and autonomous team have a lot of rights
  • 12. How this data breach could have been prevented: Detecting Apache Struts CVE-2017-5638 • Library/Framework Vulnerability Scanning • Container Vulnerability Scanning • Static Application Security Testing • Dynamic Application Security Testing Designing systems that would be resilient to the Equifax attack • Web Application Firewall & Virtual Patching • Input Validation • Restricting internet access on servers (Firewall/Proxy) • OS/container Hardening • Network Segmentation • Secure Credential Storage (no passwords in databases) • Ephemeral Environments https://github.com/OWASP/ASVS (CVE-2017-5638) Attack Example – 2017 Equifax data breach
  • 13. DevOps and security together: DevSecOps • Automated security checks can be built into the pipeline • A lot of tools are available to address security concerns • Sonarcube - SAST • OWASP ZAP - DAST • Whitesource Bolt - SCA • Microsoft Security Code • Codacy, Sonarcube, Snyk, Acunetix, logz.io, Contrast security, …. • Organisations that have mature DevOps practices are 338% more likely to integrate security across the SDLC (source: Sonatype DevSecOps community survey 2018) • Security patches and updates can be applied promptly • Transparency and continuous improvement • Long lived product teams: Security is everybody's responsibility
  • 14. DevSecOps manifesto Value things on the left over things on the right Leaning in over Always Saying “No” Data & Security Science over Fear, Uncertainty and Doubt Open Contribution & Collaboration over Security-Only Requirements Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists Source: https://www.devsecops.org/
  • 15. What can be done in the SDLC? Shift left and right Delivery team Version control Build Test Release Prod Security training Security requirements Threat modelling Architecture review Code examples OWASP Top 10 IDE plugins Fail the build SAST/DAST/IAST Configuration analysis Application module scanning Threat modelling as unit test Automated Pen testing Static code analysis Security policy testing Configuration analysis Security monitoring Configuration monitoring
  • 17. 1. We are all responsible So what is DevSecOps? ???? Questions 2. Engage InfoSec early and often 3. Use the right security tools right ‘Just’ DevOps….. with focus on
  • 18. Stay safe! We’re here to put our experience and know-how to work for you and provide you with guidance. With us it’s about collaboration and shared success. Aotearoa is our home and we’ve been supporting enterprise organisations for more than 15 years. We deliver advice and solutions that work locally. It’s critically important to us that you deliver successful outcomes because there’s a great deal riding on it! Deliver Value Faster Safer • DevOps • DevSecOps • Site Reliability Engineering Peter Bink DevOps / DevSecOps Grant Reid DevOps / SRE linkedin.com/in/grantreid/linkedin.com/in/peter-bink/ peter.bink@solnet.co.nz grant.reid@solnet.co.nz

Editor's Notes

  1. Japan (top 3 on the list of GDP) has a GDP of US$ 5 trillion. NZ GDP $US 205 billion
  2. Security tools in periodic table Xenialabs: OWASP ZAP Sonatype Nexus IQ CyberAk conjur Veracode Digital.ai App Protection Aqua security HashiCorp vault SonarCube Micro Focus Fortify SCA Synopsis Black Duck Checkmarx SAST Snort PortSwigger Burp suite