Small Leap for Developer, Giant Leap for Security - Why DevSecOps is More Important than Ever and How It's Done By Renaldi Gondosubroto

Transcript

1. COMMUNITY DAY MENA Small Leap for Developer, Giant Leap for

   Security Why DevSecOps is More Important than Ever and How It’s Done

2. Renaldi Gondosubroto Founder and Developer Advocate @ GReS Studio @Renaldig

   @renaldigondosubroto COMMUNITY DAY MENA

3. COMMUNITY DAY MENA Agenda The DevSecOps Culture Secure Strategies Project

   Planning Collaborating on Security and Compliance Code as Security Designing a DevSecOps Workflow & Architecture Wrap-Up

4. COMMUNITY DAY MENA What’s Your Security Team Like? Compliance Officer

   Analyst Program Manager Developers?

5. COMMUNITY DAY MENA What is Your Culture? Principle of finding

   the balance between DevOps and security DevSecOps is about culture, not simply practice Everyone is responsible for security

6. COMMUNITY DAY MENA How DevOps is being Revamped and How

   it Fits into the Age of Covid-19 Monitoring and Analytics Monitoring and Analytics

7. COMMUNITY DAY MENA Strategies in creating a more secure environment

   • Decoupling • Encryption • Construction of a secure workflow

8. COMMUNITY DAY MENA Decoupling Presentation Layer Application Infrastructure Layer Frontend

   Route 53 S3 CloudFront VPC1 VPC2

9. COMMUNITY DAY MENA Project Planning Planning – Setting up roles

   with security at each step Requirements – Understanding the needs of the project Execution – Coding and deployment based on both dev and security needs Testing – Continual testing through the framework decided on Tracking – Monitoring metrics for success Update – Iteratively make adjustments as necessary

10. COMMUNITY DAY MENA Secure Planning for the Future • Establish

    objectives: Deploy collection of environmental data in a simple and secure environment • Ensure all team members understand controls behind the website (blur the line between security and DevOps) • Have developers think of mitigation ahead of time (Such as with reading OWASP top 10)

11. COMMUNITY DAY MENA Aspects of Security to Collaborate On

12. COMMUNITY DAY MENA Planning for Incident Response the DevSecOps Way

    • Have a think; what to assign for the security team to react to and what to assign for the developers to react to? • Plan the usage of continuous monitoring at every step of the way alongside encrypting and validating data logs • Third Party tools such as Opsgenie

13. COMMUNITY DAY MENA DevSecOps in Scrum in the Age of

    Covid-19 • It doesn’t have to be Agile vs DevSecOps • Getting security to be part of the conversation • Added to the three questions that may be asked, add a “Will there be any security concerns on the infrastructure?” • Iteratively adding monitoring metrics to services

14. COMMUNITY DAY MENA DevSecOps with CI/CD • Source, test, production

    • Make a checklist of services that each go through • Hardening on- and off-premises servers/artifacts Source Test Production

15. COMMUNITY DAY MENA The Art of Continuous Compliance – PCI

    DSS SNS CloudWatch ElastiCache Rekognition • Centralize monitoring, logging and alerts • Continuous implementation of Config rules

16. COMMUNITY DAY MENA Code as Security

17. COMMUNITY DAY MENA Automating with Simple Workflow Service Customer Set-

    Up Verify Device Charge Card for Plan Activate Data Plan Provide Access to Services End DynamoDB

18. COMMUNITY DAY MENA Automating with Simple Workflow Service Web Front

    End Decision Tasks Verification Tasks Set Up Access to Services Execution History Security Check Tasks Worker for verification Worker for Security Checks Worker for Setting Access to Services Decider Long poll Long poll Long poll Return results Return results Return results

19. COMMUNITY DAY MENA Creating a Secure Cloud Architecture CloudWatch CloudTrail

    Config DynamoDB Lambda CodePipeline Kinesis

20. COMMUNITY DAY MENA Utilizing Opsgenie

21. COMMUNITY DAY MENA Utilizing Opsgenie Cont.

22. COMMUNITY DAY MENA Utilizing Opsgenie Cont. in Slack

23. COMMUNITY DAY MENA If in Sprint, then evaluate how security

    went! • Product owners also care very much about the security • Evaluate against benchmarks (e.g. CIS Foundations) • Utilizing AWS Inspector • Evaluate tools

24. COMMUNITY DAY MENA Wrap-Up • It’s just an addition to

    the already working DevOps culture, but with a touch on security • Minimal costs • Will bring much benefits down the line • Bottom line: Crucial during the navigation of businesses through Covid-19

25. COMMUNITY DAY MENA Thank You! Connect with me Twitter Handle:

    @Renaldig LinkedIn: @renaldigondosubroto