Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introdução à Segurança de DevOps

Avatar for Alexandre Sieira Alexandre Sieira
May 05, 2020
Technology
0
19

Introdução à Segurança de DevOps

Apresentação sobre segurança de DevOps em ambientes de nuvem. Serão discutidos o uso de alta freqüência de deployment, pipelines de CI/CD, e o uso de containers ou adoção de aplicações serverless no contexto corporativo. Em especial, quais os benefícios para o negócio, os riscos à segurança da informação e os controles que o mercado tem adotado para mitigá-los.

Parte de um webinar realizado em conjunto com a Aqua Security em Maio de 2020.
Avatar for Alexandre Sieira

Alexandre Sieira

May 05, 2020
Tweet

More Decks by Alexandre Sieira

See All by Alexandre Sieira
The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lambda Authorizers
Avatar for Alexandre Sieira asieira
0
230
SaaSpocalypse - The Complexity and Power of AWS Cross-Account Access
Avatar for Alexandre Sieira asieira
0
21
Uma Introdução a Threat Intelligence e Threat Hunting para Empresas Sem Orçamento Infinito
Avatar for Alexandre Sieira asieira
0
13
Reverse Engineering the Wetware - Understanding Human Behavior to Improve Information Security
Avatar for Alexandre Sieira asieira
0
30

Other Decks in Technology

See All in Technology
無意味な開発生産性の議論から抜け出すための予兆検知とお金とAI
Avatar for Masato Ishigaki / 石垣雅人 i35_267
4
12k
Claude Code に プロジェクト管理やらせたみた
Avatar for 佐藤圭吾 unson
6
3.2k
B2C&B2B&社内向けサービスを抱える開発組織におけるサービス価値を最大化するイニシアチブ管理
Avatar for Belong inc. belongadmin
1
6.4k
AIの全社活用を推進するための安全なレールを敷いた話
Avatar for ShoheiMitani shoheimitani
2
490
OPENLOGI Company Profile for engineer
Avatar for OPENLOGI hr01
1
34k
Should Our Project Join the CNCF? (Japanese Recap)
Avatar for whywaita whywaita
PRO
0
330
関数型プログラミングで 「脳がバグる」を乗り越える
Avatar for manabeai manabeai
0
110
FOSS4G 2025 KANSAI QGISで点群データをいろいろしてみた
Avatar for kou_kita kou_kita
0
390
What’s new in Android development tools
Avatar for Yuki Anzai yanzm
0
270
American airlines ®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for markhor64456 airhelpsupport
0
360
fukabori.fm 出張版: 売上高617億円と高稼働率を陰で支えた社内ツール開発のあれこれ話 / 20250704 Yoshimasa Iwase & Tomoo Morikawa
Avatar for SHIFT EVOLVE shift_evolve
PRO
2
7k
KubeCon + CloudNativeCon Japan 2025 Recap by CA
Avatar for YuyaKoda ponkio_o
PRO
0
290

Featured

See All Featured
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
51
3.3k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
220k
Designing for humans not robots
Avatar for Tammie Lister tammielis
253
25k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
357
30k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
233
17k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
71
11k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
55
5.7k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
72
4.9k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
331
22k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k

Transcript

  1. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. Introdução à Segurança de DevOps 2 Alexandre Sieira Founder @ Tenchi Security [email protected] @AlexandreSieira

  2. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. Agenda 1. Waterfall 2. Agile 3. DevOps 4. DevSecOps 5. CI/CD 6. Containers 7. Serverless 3

  3. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. 4 Waterfall Modelos tradicionais de gestão de projetos e processos corporativos: • Planejamento prévio minucioso; • Dependência na capacidade de prever o futuro para minimizar custos trazidos por mudanças; • Preponderância de processos sobre pessoas; • Diversos pontos de aprovação manuais; • Entendimento de soma zero entre velocidade e robustez. Alta % de atrasos, custos excedidos e falhas de desenvolvimento de software.

  4. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. 5 Agile

  5. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. 7 DevOps DevOps is a set of practices that combines software development (Dev) and information-technology operations (Ops) which aims to shorten the systems development life cycle and provide continuous delivery with high software quality.

  6. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. DevOps “(…) companies such as CapitalOne that report deploying up to 50 times per day for a product, or companies such as Amazon, Google, and Netflix that deploy thousands of times per day (aggregated over the hundreds of services that comprise their production environments).” https://services.google.com/fh/files/misc/state-of-devops-2019.pdf

  7. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. Se segurança for o gargalo, anulará os benefícios trazidos para o negócio por DevOps. Segurança precisa se adaptar, e suportar estes ganhos mudando a forma como atua. 9

  8. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. DevOps “As in previous years, our highest performers do significantly better on all four measures, and low performers do significantly worse in all areas.” “(…) availability measures are significantly correlated with software delivery performance profiles, and elite and high performers consistently reported superior availability, with elite performers being 1.7 times more likely to have strong availability practices.” https://services.google.com/fh/files/misc/state-of-devops-2019.pdf

  9. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. DevOps https://services.google.com/fh/files/misc/state-of-devops-2019.pdf

  10. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. DevOps https://info.veracode.com/report-state-of-software-security-volume-10.html

  11. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. 13 DevSecOps https://www.nist.gov/system/files/documents/director/planning/report02-3.pdf SHIFT LEFT

  12. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. Requisitos Design Código Teste Operação 14 DevSecOps Requisitos de segurança e compliance como parte de requisitos de negócios. Threat modeling. Segurança incorporada à arquitetura. Modelo D.I.E. – distributed, immutable, ephemeral. Mais threat modeling. Produtos de segurança integrados à IDE e ferramentas do desenvolvedor. Code review e stand- ups com time de segurança. Uso de biblioteca, templates de IaC e produtos desenvolvidos / mantidos por segurança. Uso de CI para rodar SAST, DAST, VA, CWPP, CSPM, etc. Testes baseados em requisitos de segurança. Testes de regressão baseado em resultados de incidentes ou pen- tests. Dev e Ops envolvidos durante e em blameless post-mortems de incidentes. Uso de CD para minimizar privilégios. VA, CWPP, CSPM, etc.

  13. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. Tenha desenvolvedores no time, escreva e mantenha código de segurança. 15 Participe de todos os ritos e passos do desenvolvimento. Produtos precisam ter APIs e se integrar no pipeline de CI/CD. Dev e Ops precisam ser envolvidos, estar qualificados para e se tornar responsáveis pela segurança. Evite a todo custo parar o pipeline, preserve a velocidade.

  14. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. 16 CI/CD A solução de CI/CD costuma ser um forte concentrador de risco: • Frequentemente instalada e operada por times de desenvolvedores sem background em operações ou segurança; • Considerada “interna” e portanto não exposta a atacantes; • Acesso a todos os repositórios de código; • Acesso de escrita a ambientes para deploy. Histórico de segurança de projetos open source como Jenkins não é exatamente fantástica.

  15. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. DevSecOps

  16. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. Containers

  17. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. Serverless

  18. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Perguntas? 20

  19. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other

    use prohibited. Material de Referência Controlled Chaos - The Inevitable Marriage of DevOps & Security Kelly Shortridge (@swagitda_) https://youtu.be/GxN4Y2as-OM Security Learns to Sprint – DevSecOps Tanya Janca (@shehackspurple) https://youtu.be/g3wCiEEiZmI Black Hat USA 2019 Keynote: Every Security Team is a Software Team Now Dino Dai Zovi (@dinodaizovi) https://youtu.be/8armE3Wz0jk