An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future.
Agenda:
-DevSecOps Introduction
-Key Challenges, Recommendations
-DevSecOps Analysis
-DevSecOps Core Practices
-DevSecOps pipeline for Application & Infrastructure Security
-DevSecOps Security Tools Selection Tips
-DevSecOps Implementation Strategy
-DevSecOps Final Checklist
2. Cloud Security Architect, Penetration Tester
Setu Parimi
Cybersecurity professional with extensive
experience performing Vulnerability
Assessments, Third-Party Application Security
reviews, Penetration Testing, and Remediation
support as it pertains to the security of
Applications, Networks, Infrastructure, and
Cloud domains.
Cloud 90%
DevSecOps 85%
PenTesting 83%
Trainings 65%
5. Continuous Delivery
Small, incremental
and frequent code
pushes to production.
Continuous delivery
eschews large
production code
releases separated by
weeks or months
DevOps
A new mode of
intense collaboration
between development
and operations for the
same goals.
Continuous Delivery & DevOps
6. ➔ Automated Provisioning
➔ No-Downtime Deployments
➔ Monitoring
➔ Fail fast and Open
➔ Automated builds and testing
DevOps Goals:
7. ➔ Team or Community effort, not an individuals’
➔ Autonomous and Automated Security -> Security at Scale
➔ DevSecOps is an approach to IT security based on the principles of DevOps
➔ DevSecOps spans the entire IT stack
➔ DevSecOps also spans the full software lifecycle
Information security architects must integrate security at multiple points into DevOps
workflows in a collaborative way that is largely transparent to developers, and preserves
the teamwork, agility and speed of DevOps and agile development environments, delivering
"DevSecOps."
DevSecOps:
10. Do You Believe Your Information Security Policies/Teams Are Slowing IT Down?
Information Security Professionals IT Operations Professionals
11. ➔ DevOps compliance is a top concern of IT leaders, but information security is seen as an
inhibitor to DevOps agility.
➔ Security infrastructure has lagged in its ability to become "software defined" and
programmable, making it difficult to integrate security controls into DevOps-style
workflows in an automated, transparent way
➔ Modern applications are largely "assembled," not developed, and developers often
download and use known vulnerable open-source components and frameworks.
DevSecOps Key Challenges:
12. ➔ Start with secure development and training, but don't make developers become security
experts or switch tools.
➔ Embrace the concept of people-centric security and empower developers to take personal
responsibility for security compensated for with monitoring. Embrace a "trust and verify"
mindset.
➔ Require all information security platforms to expose full functionality via APIs for
automatability.
Recommendations:
13. ➔ Security Controls Must Be Programmable and Automated Wherever Possible
➔ Use IAM and Role-Based Access Control to Provide Separation of Duties
➔ Implement a Simple Risk and Threat Model for All Applications
➔ Scan Custom Code, Applications and APIs
➔ Scan for OSS Issues in Development
➔ Scan for Vulnerabilities and Correct Configuration in Development
➔ Treat Scripts/Recipes/Templates/Layers as Sensitive Code
➔ Measure System Integrity and Ensure Correct Configuration at Load
➔ Lock Down Production Infrastructure and Services
DevSecOps Analysis:
15. Step 1: Assess Your Current Security Controls
Step 2: Inserting “Sec” into DevOps
Step 3: Integrate DevSecOps into Security Operations
Delivering DevSecOps:
16. ➔ Most likely threats
➔ Data types and sensitivity
➔ System builds and controls
➔ Cloud Infrastructure security posture
➔ Existing controls in place
➔ Controls we lose in cloud
Step 1: Assess Your Current Security Controls for Cloud
17. ➔ Development
➔ Inventory Management
➔ Configuration and Patch Posture
➔ Vulnerability Scanning and Assessment
➔ Account and Privilege Management
➔ Logging and Event Management
➔ Change Detection and Automated Rollback
➔ Microsegmentation
Step 2: Inserting “Sec” into DevOps
18. Step 3: Integrate DevSecOps into Security Operations
➔ Security tools help to automate or speed up the DevOps processes Eg: Chef, Ansible,Puppet, Lambda
➔ Scenario:
◆ Security tools detect a suspicious behavior on an instance in the cloud provider environment and
trigger an automated response workflow via APIs that communicate with a DevSecOps automation
engine or product
◆ The network allocation of the instance is changed via scripts and API calls to a dedicated “quarantine
virtual switch” in the cloud environment that has no direct Internet connectivity
◆ A local process begins disk and memory acquisition on the suspect instance, which is copied to a
forensic storage node in the cloud controlled by the security team and automatically protected with
dedicated encryption
◆ The security and operations teams can then automatically perform a rollback of the instance to a
known good state (or likely create a new one from the most recent template).
24. ➔ Ensure that periodic reviews of the overall risk posture within cloud environments are performed to
guarantee continued alignment of security and the other DevOps teams involved
➔ Keep system instances in the cloud as locked down as you can, commensurate with the exposure and data
classification types involved
➔ Pay careful attention to privilege allocation and user, group and role management.This can easily creep
over time in a dynamic environment
➔ Commit to a culture of continuous monitoring, helping to automate detection and scripted response
activities that minimize manual intervention wherever possible
➔ Discuss vulnerabilities detected in cloud deployments with all team members, and make sure DevOps
teams are involved in vulnerability, patch and configuration management discussions and policy creation.
➔ Ensure that you are gathering adequate security and operations logs and eventdata, sending it to a remote
monitoring and collection platform
➔ Discuss the changing threat landscape with DevOps teams, get practical measures that can be taken to
implement the most effective security without impeding progress or slowing down the pace of business
activities
Final Checklist
25. ➔ Web Application Penetration Testing
➔ DevSecops piple for application security
➔ Cloud Infrastructure Penetration Testing
➔ AWS, GCP security audit
➔ DevSecOps Training
➔ Security Automations in Cloud
➔ Incident Response in Cloud
➔ Architectect security in Cloud
➔ Cloud Cost Control
➔ Security Awareness Training
➔ Third party Vendor Application Security Assessment
Future Sessions