Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
DevSecOps: Delivering secure software at speed and scale of DevOps
Evandro Mohr
June 08, 2019
Technology
0
140
DevSecOps: Delivering secure software at speed and scale of DevOps
Evandro Mohr
June 08, 2019
Tweet
Share
More Decks by Evandro Mohr
See All by Evandro Mohr
DevSecOps: Criando uma Cultura shift left
evandromohr
0
61
Trabalhando com Escopo Aberto
evandromohr
1
43
Event-driven architecture
evandromohr
0
64
Hacking your PHP application
evandromohr
0
57
Event-Driven Architecture
evandromohr
1
91
Other Decks in Technology
See All in Technology
Build 2022で発表されたWindowsアプリ開発のあれこれ振り返ろう
hatsunea
1
380
20220622_FinJAWS_あのときにAWSがあったらこうできた
taketakekaho
0
110
Modern Android dependency injection
hugovisser
1
130
SlackBotで あらゆる業務を自動化。問い合わせ〜DevOpsまで #CODT2022
kogatakanori
0
890
Target SDK Versionを上げない Notification runtime permission対応
napplecomputer
0
140
Citizen 개발기
outsider
0
280
220628 「Google AppSheet」タスク管理アプリをライブ作成 吉積情報伊藤さん
comucal
PRO
0
220
データ分析基盤のはじめかた
chanyou0311
0
110
モブに早く慣れたい人のためのガイド / A Guide to Getting Started Quickly with Mob Programming
cybozuinsideout
PRO
2
1.8k
Camp Digital 2022: tailored advice
kyliehavelock
0
150
インフラのCI/CDはGitHub Actionsに任せた
mihyon
0
110
開発組織の生産性を可視化する State of DevOpsとFour Keysとは / deep dive into State of DevOps
yfcgpsebp
0
270
Featured
See All Featured
Gamification - CAS2011
davidbonilla
75
3.9k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_i
23
15k
Side Projects
sachag
450
37k
Support Driven Design
roundedbygravity
86
8.5k
How to name files
jennybc
40
61k
Making Projects Easy
brettharned
98
4.3k
Unsuck your backbone
ammeep
659
55k
We Have a Design System, Now What?
morganepeng
35
3k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
11
4.7k
Build your cross-platform service in a week with App Engine
jlugia
219
17k
Building Applications with DynamoDB
mza
83
4.7k
Six Lessons from altMBA
skipperchong
14
1.4k
Transcript
DevSecOps Delivering secure software at speed and scale of DevOps.
Evandro Mohr 2 Developer Pilot Professor Photographer
“ “DevOps is not a goal, but a never-ending process
of continual improvement” – Jez Humble 3
4 It’s all about bottlenecks
Chaotic Model 5 Fix Build First steps is SDLC
Waterfall Model 6
Waterfall Model ▪ Long release cycles. ▪ Functional silos ▪
Rigid ▪ Lot of WIP 7
The dawn of Agile 8 ▪ Shorter release cycles ▪
Cross functional teams ▪ Smaller batch sizes
DEV X OPS 9
DEV X OPS 10
DevOps 11
12 DevOps Culture Principles and Practices Processes Automated deployment pipeline
Technologies Supporting tool chain
DevOps Pipeline
How to keep up with security? 14
DevSecOps Integrating security into Agile and DevOps 15
“ “DevSecOps enable organisations to deliver inherently secure software at
DevOps scale and speed.” 16
Security Practice Checklist ✓ Verify for security Early and Often
✓ Parameterize Queries ✓ Encode data ✓ Validate All Inputs ✓ Implement Identity and Authentication Controls ✓ Implement Appropriate Access Controls ✓ Protect Data ✓ Implement Logging and Intrusion Detection ✓ Use security frameworks and libraries ✓ Error and Exception Handling
OWASP Top 10
Security Practice Checklist
DevSecOps
“ 21 DevOps security hooks
DevSecOps Trigger Points ✓ Static scanning during development ✓ Pull-requests:
Static scans of data-flow, semantic and configurational ✓ Integration branch: Dynamic scanning ✓ QA Release Candidate Integration: Dynamic scanning ✓ Production Acceptance: Production-safe dynamic scanning ✓ Post-Production: RASP (Runtime Application Self-Protection), WAF (Web Application Firewalls) both need rules updated.
23 DevSecOps Culture Principles and Practices Processes Automated deployment pipeline
Technologies Supporting tool chain
Culture ▪ Communication and transparency ▪ Blameless postmortem ▪ Continuous
improvement ▪ Everyone is responsible for security ▪ Automate as much as possible ▪ Everything as code
Processes Secure SDLC ▪ Training ▪ Requirements ▪ Architecture &
Design ▪ Coding ▪ Testing ▪ Deployment ▪ Post deployment
Processes Security Pipeline ▪ Assessment of critical resource ▪ Reduce
friction ▪ Increase visibility ▪ Each step repeatable ▪ Drive up dependency
Processes Security Pipeline
Technologies ▪ Requirements ▪ Code: IDE plugins, SAST ▪ Test:
Gauntlt, DAST ▪ Configure: Sec as code ▪ Maintenance: Patch management ▪ Monitor: Auditing, Attack visibility
Questions? 29
Thank you very much for your time 30 You can
find me at: ▪ br.linkedin.com/in/evandromohr ▪ t.me/phpcomrapadura