DevSecOps | People - Process - Platform

Transcript

1. DevSecOps People – Process - Platform Problems and tips for

   the Enterprises NGUYỄN ĐỨC THỊNH –Vietnam Security Bootcamp 2020 [email protected]

2. Who am I ? • DevSecOps @ many companies •

   Research & Sharing DevOps & DevSecOps culture to the company.

3. Agenda • Who am I ? • Why this talk

   ? • DevOps is good; DevSecOps is better • Let’s do DevSecOps – Myths & Facts • DevSecOps Conceptual Architect • DevSecOps Tips

4. Enterprises Technology nowadays Bank become Fintech Insurance become Insurtech

5. Open new Capability

6. Applied DevOps

7. DevOps – Quick Recap • DevOps is a set of

   practices that works to automate and integrate the processes between software development and IT teams, so they can build, test, and release software faster and more reliably.

8. DevOps is good; DevSecOps is better A transformational way to

   integrated security control and compliance requirements into each phrase of DevOps pipeline Continuous security Reduce mean- time-to-recovery for security issues Enhance Compliance by Automation & Monitoring Increase Collaboration between teams by sharing knowledges

9. Let’s do DevSecOps

10. DevSecOps Misconcept • DevSecOps is incompatible with compliance requirements •

    DevSecOps just means code scanning • DevSecOps is only “Security as Code” or Automation • DevSecOps requires developers to be security experts

11. DevSecOps Conceptual Architect DevSecOps People Process Platform Regulation & Compliance

    Continuous Monitoring Continuous Improvement

12. People Developers • Secure code training • Develop in- house

    services to help monitoring & measure DevOps • Empower DevOps engineers to take personal responsibility for security • Adopt version control and tight management of infrastructure automation tools Security • Incorporated application security testing for custom code • Adapt to “continuous security” • Involve to Development cycle

13. Secure SDLC Process

14. Process in practice • Trigger by git commit to make

    sure integrity, auditable, accountable for every interaction to systems. • Leverage automation to prevent human-misktates and centralized control • Perform Pipelines on separate network segment to minimalize network connectivity between IT workspace & run-time environments.

15. Platform Ticket System Source Code Control CI/CD Infrastructure as Code

    Static Application Security Test Dynamic Application Security Test Monitoring & Tracking

16. Regulation & Compliances Separation of Duty • DevSecOps team should

    be a virtual groups • Deliverables via CI/CD pipeline without any human interact. Maker/Checker • Any change to systems must be tracked by Ticket ID • CI/CD pipeline only trigger after numbers of required approval. Auditable • Ticket ID represent for change request. • Code commit message must contain Ticket ID

17. Some Tips to apply DevSecOps for the Enterprises

18. Break the silos and build collaborative working style

19. Great, Start with SAST Embled SAST process into CI/CD pipelines.

    Perform Code-Review • Looking for hard- coded sensitive data. • Revalidate potential security break recommend by the tools. • Remove all run-time specific environment variables out of the code.

20. Threat Modeling & Design Review • Be Secure by Design.

    • Security Patterns for Microservice Architectures • Verify Security with Delivery Pipelines. Ref: https://www2.slideshare.net/sbc-vn/dinh-huy-cuong-threat-modeling-to-catch-a-thief-think-like-a-thief

21. Seperation of Duty but share the same goals Code Base

    Deployment Instruction Run-time environment on Development Run-time environment on PROD Secrets data on Development Secrets data on PROD DevOps Engineers Site Reliable Engineers

22. Automation Security auditing process

23. Measure effectiveness • Use automate to prevent repeat problems •

    Improve Security process to applied at scale. • Training the team in the culture of DevSecOps • Train and practices Secure coding in development • Tracking metrics from all tools to make sure Availability & Reliability • Cooperate with SDLC process. • Ack as Quality Gate for Security issues. Security Stable Scalable Safe

24. DevSecOps Maturity Model The Building Security In Maturity Model (BSIMM)

    is a study of existing software security initiatives. Ref: https://dsomm.timo-pagel.de/

25. Thank you everyone

26. References • https://www.dxc.technology/aerospace_defense/insights/148120-devsecops_a_key_to_achieving_cmmc_and_fedramp_compliance • https://csrc.nist.gov/publications/detail/sp/800-190/final • OWASP Devsecops Maturity Model

    https://dsomm.timo-pagel.de/ • Mitigating the Risk of Software 1 Vulnerabilities by Adopting a Secure 2 3 Software Development Framework (SSDF) https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with- ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf