Small Code Changes with Big Impact on Your DevSecOps Pipeline

Transcript

1. The ratio of engineers in Development, Operations, and Infosec in

   a typical technology organization is 100:10:1. When Infosec is that outnumbered, without automation and integrating information security into the daily work of Dev and Ops, Infosec can only do compliance checking, which is the opposite of security engineering—and besides, it also makes everyone hate us. - Gene Kim, posted on dzone.com 1

2. Small code changes with big impact on your DevSecOps pipeline

   Al Crowley, Principal Engineer

3. Summary of DevSecOps DevOps - You built it, you run

   it DevSecOps - You built it, you secure it, and you run it 3

4. DevSecOps Activities Code Development Testing Security Deployment and Operations Continuous

   Monitoring 4

5. Testing - Put value on semantic markup Proper tags make

   testing and parsing much easier 5 <h1> <nav> <label> <em> <code> <figure> <div> <span> <p> YES! Meh. xpath: //h2//figure//label xpath: //div[contains(@class,"heading-medium")]//….

6. Testing - Name everything Use Give unique IDs for all

   your HTML form elements 6

7. Testing - Test Mode Many test frameworks set an environment

   variable: 7 Javascript: process.env.JEST_WORKER_ID !== undefined Python: if "PYTEST_CURRENT_TEST" in os.environ: Or are detectable in other ways: for (StackTraceElement element : Thread.currentThread().getStackTrace()) { if (element.getClassName().startsWith("org.junit."))

8. Development & Deployment - Put in a little effort to

   automate everything Automate updates to • Schema changes • Environment variables • Configuration settings • OS package requirements If you don't do it for your teammate, it probably won't happen in their development environment. 8

9. Ansible for automation 9

10. Automate configuration 10

11. Operations - Use tools to manage the database Find a

    good tools for managing DB schemas. Forward and Reverse migrations allow you to safely roll back. Automated schema management lets you jump version and coordinate with multiple developers. 11

12. Operations - Use database migrations 12

13. Monitoring - Logging Log everything ….but log errors judiciously ….and

    use a logging library ….if possible, one that structures log data 13

14. Monitoring - Logging NITRC sends a lot of email -

    we log it all. 14

15. Monitoring - Logging 15

16. Monitoring - json-log-viewer 16

17. Monitoring - json-log-viewer 17

18. Monitoring - jq command line utility 18

19. Monitoring - jq command line utility 19

20. Secure - fail2ban 20

21. Development - Feature flags 21

22. Development - Feature flags 22

23. Questions - • Does anyone have standards for what to

    log or what log levels to use? • Any teams using feature flags regularly? • What tools do you use for security monitoring and scanning? • Can you share anything that really helped your team make DevSecOps work? • How do you manage DB schema changes? 23

24. Security - Static code analysis 24

25. Development - Put in effort to automate Deployments are a

    hidden time sink! Best case for a manual deployment (per iteration): • About 2 hours per deployment • 1 or 2 test deployments • 1 stage deployments • 1 production deployment 25

26. Development - Put in effort to automate Realistic case for

    a manual deployment (per iteration): • About 2 hours per deployment • 3+ test deployments • 2+ debugging sessions • 2+ ad-hoc meetings with devs to fix deployment issues • 1 stage deployments per iteration • 1 production deployment per iteration 26

27. Secure - fail2ban 27

28. Operations - Launch templates 28