SlideShare uma empresa Scribd logo

Introduction to DevSecOps

Setu Parimi
Setu Parimi

An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future. Agenda: -DevSecOps Introduction -Key Challenges, Recommendations -DevSecOps Analysis -DevSecOps Core Practices -DevSecOps pipeline for Application & Infrastructure Security -DevSecOps Security Tools Selection Tips -DevSecOps Implementation Strategy -DevSecOps Final Checklist

Tecnologia
1 de 27
INTRODUCTION TO DEVSECOPS “You build it, You secure it!”
Cloud Security Architect, Penetration Tester Setu Parimi Cybersecurity professional with extensive experience performing Vulnerability Assessments, Third-Party Application Security reviews, Penetration Testing, and Remediation support as it pertains to the security of Applications, Networks, Infrastructure, and Cloud domains. Cloud 90% DevSecOps 85% PenTesting 83% Trainings 65%
Security Consulting ● Product Security Audit ● Architecture Reviews ● Secure Architecture design ● Security Automations ● Threat Modelling ● Vendor Analysis ● AppSec Program ● MSSP Testing & Assessments ● Web Application Penetration Testing ● Cloud Infrastructure Pentesting ● Mobile Application Security Assessment ● Network pentesting and assessment ● Application Source code reviews Security Trainings ● Cloud Security Trainings ● DevSecOps Trainings ● Penetration testing training ● AWS Security Certification ● CCSK ● Cloud Security Automation ● AWS Cost Control ● SOC Training CloudSecOps.com | +123456 43777 | hi@cloudsecops.com
➔ DevSecOps Introduction ➔ Key Challenges, Recommendations ➔ DevSecOps Analysis ➔ DevSecOps Core Practices ➔ DevSecOps pipeline for Application & Infrastructure Security ➔ DevSecOps Security Tools Selection Tips ➔ DevSecOps Implementation Strategy ➔ DevSecOps Checklist Agenda: 5-45-10
Continuous Delivery Small, incremental and frequent code pushes to production. Continuous delivery eschews large production code releases separated by weeks or months DevOps A new mode of intense collaboration between development and operations for the same goals. Continuous Delivery & DevOps
➔ Automated Provisioning ➔ No-Downtime Deployments ➔ Monitoring ➔ Fail fast and Open ➔ Automated builds and testing DevOps Goals:
➔ Team or Community effort, not an individuals’ ➔ Autonomous and Automated Security -> Security at Scale ➔ DevSecOps is an approach to IT security based on the principles of DevOps ➔ DevSecOps spans the entire IT stack ➔ DevSecOps also spans the full software lifecycle Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering "DevSecOps." DevSecOps:
Adding Security to DevOps:
Do You Believe Your Information Security Policies/Teams Are Slowing IT Down? Information Security Professionals IT Operations Professionals
➔ DevOps compliance is a top concern of IT leaders, but information security is seen as an inhibitor to DevOps agility. ➔ Security infrastructure has lagged in its ability to become "software defined" and programmable, making it difficult to integrate security controls into DevOps-style workflows in an automated, transparent way ➔ Modern applications are largely "assembled," not developed, and developers often download and use known vulnerable open-source components and frameworks. DevSecOps Key Challenges:
➔ Start with secure development and training, but don't make developers become security experts or switch tools. ➔ Embrace the concept of people-centric security and empower developers to take personal responsibility for security compensated for with monitoring. Embrace a "trust and verify" mindset. ➔ Require all information security platforms to expose full functionality via APIs for automatability. Recommendations:
➔ Security Controls Must Be Programmable and Automated Wherever Possible ➔ Use IAM and Role-Based Access Control to Provide Separation of Duties ➔ Implement a Simple Risk and Threat Model for All Applications ➔ Scan Custom Code, Applications and APIs ➔ Scan for OSS Issues in Development ➔ Scan for Vulnerabilities and Correct Configuration in Development ➔ Treat Scripts/Recipes/Templates/Layers as Sensitive Code ➔ Measure System Integrity and Ensure Correct Configuration at Load ➔ Lock Down Production Infrastructure and Services DevSecOps Analysis:
DevSecOps Core Practices:
Step 1: Assess Your Current Security Controls Step 2: Inserting “Sec” into DevOps Step 3: Integrate DevSecOps into Security Operations Delivering DevSecOps:
➔ Most likely threats ➔ Data types and sensitivity ➔ System builds and controls ➔ Cloud Infrastructure security posture ➔ Existing controls in place ➔ Controls we lose in cloud Step 1: Assess Your Current Security Controls for Cloud
➔ Development ➔ Inventory Management ➔ Configuration and Patch Posture ➔ Vulnerability Scanning and Assessment ➔ Account and Privilege Management ➔ Logging and Event Management ➔ Change Detection and Automated Rollback ➔ Microsegmentation Step 2: Inserting “Sec” into DevOps
Step 3: Integrate DevSecOps into Security Operations ➔ Security tools help to automate or speed up the DevOps processes Eg: Chef, Ansible,Puppet, Lambda ➔ Scenario: ◆ Security tools detect a suspicious behavior on an instance in the cloud provider environment and trigger an automated response workflow via APIs that communicate with a DevSecOps automation engine or product ◆ The network allocation of the instance is changed via scripts and API calls to a dedicated “quarantine virtual switch” in the cloud environment that has no direct Internet connectivity ◆ A local process begins disk and memory acquisition on the suspect instance, which is copied to a forensic storage node in the cloud controlled by the security team and automatically protected with dedicated encryption ◆ The security and operations teams can then automatically perform a rollback of the instance to a known good state (or likely create a new one from the most recent template).
DevSecOps pipeline for AppSec:
DevSecOps pipeline for AppSec: Src: https://www.slideshare.net/denimgroup/rsa2015-blending-theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
DevSecOps pipeline for AWS Cloud:
➔ Policy Coverage ➔ Accuracy ➔ Speed ➔ Scale ➔ Process Fit ➔ Integrations Criteria for Choosing Security Tools
Example PoC & Vendor Analysis:
➔ Ensure that periodic reviews of the overall risk posture within cloud environments are performed to guarantee continued alignment of security and the other DevOps teams involved ➔ Keep system instances in the cloud as locked down as you can, commensurate with the exposure and data classification types involved ➔ Pay careful attention to privilege allocation and user, group and role management.This can easily creep over time in a dynamic environment ➔ Commit to a culture of continuous monitoring, helping to automate detection and scripted response activities that minimize manual intervention wherever possible ➔ Discuss vulnerabilities detected in cloud deployments with all team members, and make sure DevOps teams are involved in vulnerability, patch and configuration management discussions and policy creation. ➔ Ensure that you are gathering adequate security and operations logs and eventdata, sending it to a remote monitoring and collection platform ➔ Discuss the changing threat landscape with DevOps teams, get practical measures that can be taken to implement the most effective security without impeding progress or slowing down the pace of business activities Final Checklist
➔ Web Application Penetration Testing ➔ DevSecops piple for application security ➔ Cloud Infrastructure Penetration Testing ➔ AWS, GCP security audit ➔ DevSecOps Training ➔ Security Automations in Cloud ➔ Incident Response in Cloud ➔ Architectect security in Cloud ➔ Cloud Cost Control ➔ Security Awareness Training ➔ Third party Vendor Application Security Assessment Future Sessions
Security Consulting ● Product Security Audit ● Architecture Reviews ● Secure Architecture design ● Security Automations ● Threat Modelling ● Vendor Analysis ● AppSec Program ● MSSP Testing & Assessments ● Web Application Penetration Testing ● Cloud Infrastructure Pentesting ● Mobile Application Security Assessment ● Network pentesting and assessment ● Application Source code reviews Security Trainings ● Cloud Security Trainings ● DevSecOps Trainings ● Penetration testing training ● AWS Security Certification ● CCSK ● Cloud Security Automation ● AWS Cost Control ● SOC Training CloudSecOps.com | +123456 43777 | hi@cloudsecops.com
THANK YOU https://www.linkedin.com/in/sethuparimi/ setu@cloudsecops.com https://cloudsecops.com/contact-us/ https://cloudsecops.com/blog/ +123456 43777

Recomendados

Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 

Recomendados

Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
Opsta
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Amazon Web Services
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Amazon Web Services
 

Mais conteúdo relacionado

Mais procurados

The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 

Mais procurados (20)

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 

Semelhante a Introduction to DevSecOps

Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Amazon Web Services
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
Amazon Web Services
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
Puma Security, LLC
 
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure CloudCloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
Predica Group
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
Nadira Bajrei
 

Semelhante a Introduction to DevSecOps (20)

Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside Out
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Continuous Testing in containerized environment
Continuous Testing in containerized environmentContinuous Testing in containerized environment
Continuous Testing in containerized environment
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure CloudCloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
Cloud Governance & DevOps: Must-have Tools on Your Journey to Azure Cloud
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 

Introduction to DevSecOps

  • 1. INTRODUCTION TO DEVSECOPS “You build it, You secure it!”
  • 2. Cloud Security Architect, Penetration Tester Setu Parimi Cybersecurity professional with extensive experience performing Vulnerability Assessments, Third-Party Application Security reviews, Penetration Testing, and Remediation support as it pertains to the security of Applications, Networks, Infrastructure, and Cloud domains. Cloud 90% DevSecOps 85% PenTesting 83% Trainings 65%
  • 3. Security Consulting ● Product Security Audit ● Architecture Reviews ● Secure Architecture design ● Security Automations ● Threat Modelling ● Vendor Analysis ● AppSec Program ● MSSP Testing & Assessments ● Web Application Penetration Testing ● Cloud Infrastructure Pentesting ● Mobile Application Security Assessment ● Network pentesting and assessment ● Application Source code reviews Security Trainings ● Cloud Security Trainings ● DevSecOps Trainings ● Penetration testing training ● AWS Security Certification ● CCSK ● Cloud Security Automation ● AWS Cost Control ● SOC Training CloudSecOps.com | +123456 43777 | hi@cloudsecops.com
  • 4. ➔ DevSecOps Introduction ➔ Key Challenges, Recommendations ➔ DevSecOps Analysis ➔ DevSecOps Core Practices ➔ DevSecOps pipeline for Application & Infrastructure Security ➔ DevSecOps Security Tools Selection Tips ➔ DevSecOps Implementation Strategy ➔ DevSecOps Checklist Agenda: 5-45-10
  • 5. Continuous Delivery Small, incremental and frequent code pushes to production. Continuous delivery eschews large production code releases separated by weeks or months DevOps A new mode of intense collaboration between development and operations for the same goals. Continuous Delivery & DevOps
  • 6. ➔ Automated Provisioning ➔ No-Downtime Deployments ➔ Monitoring ➔ Fail fast and Open ➔ Automated builds and testing DevOps Goals:
  • 7. ➔ Team or Community effort, not an individuals’ ➔ Autonomous and Automated Security -> Security at Scale ➔ DevSecOps is an approach to IT security based on the principles of DevOps ➔ DevSecOps spans the entire IT stack ➔ DevSecOps also spans the full software lifecycle Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering "DevSecOps." DevSecOps:
  • 8.
  • 10. Do You Believe Your Information Security Policies/Teams Are Slowing IT Down? Information Security Professionals IT Operations Professionals
  • 11. ➔ DevOps compliance is a top concern of IT leaders, but information security is seen as an inhibitor to DevOps agility. ➔ Security infrastructure has lagged in its ability to become "software defined" and programmable, making it difficult to integrate security controls into DevOps-style workflows in an automated, transparent way ➔ Modern applications are largely "assembled," not developed, and developers often download and use known vulnerable open-source components and frameworks. DevSecOps Key Challenges:
  • 12. ➔ Start with secure development and training, but don't make developers become security experts or switch tools. ➔ Embrace the concept of people-centric security and empower developers to take personal responsibility for security compensated for with monitoring. Embrace a "trust and verify" mindset. ➔ Require all information security platforms to expose full functionality via APIs for automatability. Recommendations:
  • 13. ➔ Security Controls Must Be Programmable and Automated Wherever Possible ➔ Use IAM and Role-Based Access Control to Provide Separation of Duties ➔ Implement a Simple Risk and Threat Model for All Applications ➔ Scan Custom Code, Applications and APIs ➔ Scan for OSS Issues in Development ➔ Scan for Vulnerabilities and Correct Configuration in Development ➔ Treat Scripts/Recipes/Templates/Layers as Sensitive Code ➔ Measure System Integrity and Ensure Correct Configuration at Load ➔ Lock Down Production Infrastructure and Services DevSecOps Analysis:
  • 15. Step 1: Assess Your Current Security Controls Step 2: Inserting “Sec” into DevOps Step 3: Integrate DevSecOps into Security Operations Delivering DevSecOps:
  • 16. ➔ Most likely threats ➔ Data types and sensitivity ➔ System builds and controls ➔ Cloud Infrastructure security posture ➔ Existing controls in place ➔ Controls we lose in cloud Step 1: Assess Your Current Security Controls for Cloud
  • 17. ➔ Development ➔ Inventory Management ➔ Configuration and Patch Posture ➔ Vulnerability Scanning and Assessment ➔ Account and Privilege Management ➔ Logging and Event Management ➔ Change Detection and Automated Rollback ➔ Microsegmentation Step 2: Inserting “Sec” into DevOps
  • 18. Step 3: Integrate DevSecOps into Security Operations ➔ Security tools help to automate or speed up the DevOps processes Eg: Chef, Ansible,Puppet, Lambda ➔ Scenario: ◆ Security tools detect a suspicious behavior on an instance in the cloud provider environment and trigger an automated response workflow via APIs that communicate with a DevSecOps automation engine or product ◆ The network allocation of the instance is changed via scripts and API calls to a dedicated “quarantine virtual switch” in the cloud environment that has no direct Internet connectivity ◆ A local process begins disk and memory acquisition on the suspect instance, which is copied to a forensic storage node in the cloud controlled by the security team and automatically protected with dedicated encryption ◆ The security and operations teams can then automatically perform a rollback of the instance to a known good state (or likely create a new one from the most recent template).
  • 20. DevSecOps pipeline for AppSec: Src: https://www.slideshare.net/denimgroup/rsa2015-blending-theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
  • 22. ➔ Policy Coverage ➔ Accuracy ➔ Speed ➔ Scale ➔ Process Fit ➔ Integrations Criteria for Choosing Security Tools
  • 23. Example PoC & Vendor Analysis:
  • 24. ➔ Ensure that periodic reviews of the overall risk posture within cloud environments are performed to guarantee continued alignment of security and the other DevOps teams involved ➔ Keep system instances in the cloud as locked down as you can, commensurate with the exposure and data classification types involved ➔ Pay careful attention to privilege allocation and user, group and role management.This can easily creep over time in a dynamic environment ➔ Commit to a culture of continuous monitoring, helping to automate detection and scripted response activities that minimize manual intervention wherever possible ➔ Discuss vulnerabilities detected in cloud deployments with all team members, and make sure DevOps teams are involved in vulnerability, patch and configuration management discussions and policy creation. ➔ Ensure that you are gathering adequate security and operations logs and eventdata, sending it to a remote monitoring and collection platform ➔ Discuss the changing threat landscape with DevOps teams, get practical measures that can be taken to implement the most effective security without impeding progress or slowing down the pace of business activities Final Checklist
  • 25. ➔ Web Application Penetration Testing ➔ DevSecops piple for application security ➔ Cloud Infrastructure Penetration Testing ➔ AWS, GCP security audit ➔ DevSecOps Training ➔ Security Automations in Cloud ➔ Incident Response in Cloud ➔ Architectect security in Cloud ➔ Cloud Cost Control ➔ Security Awareness Training ➔ Third party Vendor Application Security Assessment Future Sessions
  • 26. Security Consulting ● Product Security Audit ● Architecture Reviews ● Secure Architecture design ● Security Automations ● Threat Modelling ● Vendor Analysis ● AppSec Program ● MSSP Testing & Assessments ● Web Application Penetration Testing ● Cloud Infrastructure Pentesting ● Mobile Application Security Assessment ● Network pentesting and assessment ● Application Source code reviews Security Trainings ● Cloud Security Trainings ● DevSecOps Trainings ● Penetration testing training ● AWS Security Certification ● CCSK ● Cloud Security Automation ● AWS Cost Control ● SOC Training CloudSecOps.com | +123456 43777 | hi@cloudsecops.com