Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps Culture

Ali Yazdani
January 19, 2025
0
2

DevSecOps Culture

let’s review the whole DevSecOps concept together.
Then see what are its benefit for the development/operation team.
How we can establish it by spending less cost and time.
And see how it can help us to have a more secure and reliable development environment and process.

Ali Yazdani

January 19, 2025
Tweet

More Decks by Ali Yazdani

See All by Ali Yazdani
Real-world Threat Modeling
aliyazdani
0
4
Navigating the DevSecOps Landscape: Challenges and Opportunities
aliyazdani
0
2
Secure Software Ecosystem
aliyazdani
0
44

Featured

See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
7k
Being A Developer After 40
akosma
89
590k
For a Future-Friendly Web
brad_frost
176
9.5k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
28
4.5k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
26
1.9k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
The Language of Interfaces
destraynor
155
24k
Side Projects
sachag
452
42k
Practical Orchestrator
shlominoach
186
10k

Transcript

  1. DevSecOps Culture Ali Yazdani OWASP DevSecOps Guideline Project lead

  2. Readme! • A Security Engineer - over 10 years experiences

    in AppSec in different industry sectors. • 2016 - Present, OWASP as contributor on projects like MSTG, and Leading DevSecOps Guideline project. • Now, Senior DevSecOps Engineer @ Scoutbee GmbH

  3. Introduction - traditional • In traditional software development, security measures

    were in the right side! Develop Build Tests Deliver build to staging Deploy to Production Security Checks Security Checks

  4. Introduction - DevSecOps advent Code/Build Deploy Operation SAST IaC SCA

    DAST IAST RASP • Amming to fill the gap between Dev - Sec - Ops • By promoting a culture of: ◦ Collaboration ◦ Shared responsibility ◦ Continuous improvement DevOps process + Security checks → DevSecOps

  5. Introduction - The team story From a technologies point of

    view, we added some security checks into the dev pipeline. But from a team perspective, we experienced changes too.

  6. But, It’s not enough! Code/Build Deploy Operation SAST IaC SCA

    DAST IAST RASP Most potential attack surface Pentest Bug Bounty VDP VA WAF … We have to shift security checks to the left, But the right still needs to be protected. Phases Can cover but can't replace each others.

  7. Some wrong facts! 1. DevSecOps Engineer is DevOps Engineer +

    Security Engineer 2. By implementing some tools → We have DevSecOps! 3. Since DevSecOps says: Security is responsibility for all then we don’t need a security engineer/consultant/specialist. 4. By Shifting security tests to the left, we have a full secure product!

  8. Pillars of DevSecOps • People & Processes • Tools (Technologies)

    • Governance A lot of talks about tools but what about others?

  9. People & Processes • The important part, it enables others

    to function properly • At the beginning, Moving to DevSecOps increasing security team workload!! • Traditionally: ◦ Development -> fast delivery ◦ Security -> application security ◦ Operations -> stability • DevSecOps: Delivering secure and stable software quickly. This means that everyone has an equal stake in all these three objectives and uses their expertise to support each other.

  10. People & Processes - 2nd Now; we have a shared-responsibility

    model → Update our processes Defining and establishing processes to promote: - Clear communication - Transparent development - Active collaboration. Processes will help people to stay involved! Topics to cover here: • Shape the team (Security Champions) • Training ◦ Secure coding ◦ Threat Modeling workshop ◦ … • Awearnace

  11. Technologies • Let’s make processes more practical! • Automation is

    a key. • Tools help us to: ◦ Reducing efforts for the tests ◦ Increasing accuracy ◦ Repeating the tests

  12. Technologies - Example Secret Scanning: • The secrets should not

    be hard coded. • The secrets should not be unencrypted. • The secrets should not be stored in the source code. • The code history does not contain any secrets.

  13. Governance Having a system of governance enables us to: •

    Keep track of our progress, assess our successes, and pinpoint any challenges. • Identify any areas of improvement or potential shortcomings. • Visualize the outcomes and compare them to the expected impacts. Topics to cover here: • Compliance Audit/Check ◦ Policy as Code ◦ Security Benchmarking ◦ Security Standards (ISO, SOC2, …) • Data Protection • Visualisation ◦ Tracking maturities ◦ Monitoring

  14. Challenges and Mitigations • Overcoming Cultural Resistance Organizations should prioritize

    active collaboration and communication between all stakeholders, to ensure the same sense of ownership for the DevSecOps initiatives. Time to show the benefits of DevSecOps: ◦ Faster time-to-market ◦ Improving security ◦ Reducing vulnerabilities • Seamless Tool Integration ◦ Continuous monitoring and improvement of security tooling • Addressing Compliance and Regulations ◦ in the development process to avoid delays and non-compliance issues later on.

  15. Conclusion • The DevSecOps journey, is a long-term investment! •

    The good implementation makes it a cost-reduction activity. • Shifting to the left → Catching issues as fast as possible. But not whole things that we can do.

  16. Thanks