DevSecOps: Delivering secure software at speed and scale of DevOps

DevSecOps: Delivering secure software at speed and scale of DevOps

5e6931750500ceff304695657dc84ef0?s=128

Evandro Mohr

June 08, 2019
Tweet

Transcript

  1. DevSecOps Delivering secure software at speed and scale of DevOps.

  2. Evandro Mohr 2 Developer Pilot Professor Photographer

  3. “ “DevOps is not a goal, but a never-ending process

    of continual improvement” – Jez Humble 3
  4. 4 It’s all about bottlenecks

  5. Chaotic Model 5 Fix Build First steps is SDLC

  6. Waterfall Model 6

  7. Waterfall Model ▪ Long release cycles. ▪ Functional silos ▪

    Rigid ▪ Lot of WIP 7
  8. The dawn of Agile 8 ▪ Shorter release cycles ▪

    Cross functional teams ▪ Smaller batch sizes
  9. DEV X OPS 9

  10. DEV X OPS 10

  11. DevOps 11

  12. 12 DevOps Culture Principles and Practices Processes Automated deployment pipeline

    Technologies Supporting tool chain
  13. DevOps Pipeline

  14. How to keep up with security? 14

  15. DevSecOps Integrating security into Agile and DevOps 15

  16. “ “DevSecOps enable organisations to deliver inherently secure software at

    DevOps scale and speed.” 16
  17. Security Practice Checklist ✓ Verify for security Early and Often

    ✓ Parameterize Queries ✓ Encode data ✓ Validate All Inputs ✓ Implement Identity and Authentication Controls ✓ Implement Appropriate Access Controls ✓ Protect Data ✓ Implement Logging and Intrusion Detection ✓ Use security frameworks and libraries ✓ Error and Exception Handling
  18. OWASP Top 10

  19. Security Practice Checklist

  20. DevSecOps

  21. “ 21 DevOps security hooks

  22. DevSecOps Trigger Points ✓ Static scanning during development ✓ Pull-requests:

    Static scans of data-flow, semantic and configurational ✓ Integration branch: Dynamic scanning ✓ QA Release Candidate Integration: Dynamic scanning ✓ Production Acceptance: Production-safe dynamic scanning ✓ Post-Production: RASP (Runtime Application Self-Protection), WAF (Web Application Firewalls) both need rules updated.
  23. 23 DevSecOps Culture Principles and Practices Processes Automated deployment pipeline

    Technologies Supporting tool chain
  24. Culture ▪ Communication and transparency ▪ Blameless postmortem ▪ Continuous

    improvement ▪ Everyone is responsible for security ▪ Automate as much as possible ▪ Everything as code
  25. Processes Secure SDLC ▪ Training ▪ Requirements ▪ Architecture &

    Design ▪ Coding ▪ Testing ▪ Deployment ▪ Post deployment
  26. Processes Security Pipeline ▪ Assessment of critical resource ▪ Reduce

    friction ▪ Increase visibility ▪ Each step repeatable ▪ Drive up dependency
  27. Processes Security Pipeline

  28. Technologies ▪ Requirements ▪ Code: IDE plugins, SAST ▪ Test:

    Gauntlt, DAST ▪ Configure: Sec as code ▪ Maintenance: Patch management ▪ Monitor: Auditing, Attack visibility
  29. Questions? 29

  30. Thank you very much for your time 30 You can

    find me at: ▪ br.linkedin.com/in/evandromohr ▪ t.me/phpcomrapadura