DevSecOps: Delivering secure software at speed and scale of DevOps

Transcript

1. DevSecOps Delivering secure software at speed and scale of DevOps.

2. Evandro Mohr 2 Developer Pilot Professor Photographer

3. “ “DevOps is not a goal, but a never-ending process

   of continual improvement” – Jez Humble 3

4. 4 It’s all about bottlenecks

5. Chaotic Model 5 Fix Build First steps is SDLC

6. Waterfall Model 6

7. Waterfall Model ▪ Long release cycles. ▪ Functional silos ▪

   Rigid ▪ Lot of WIP 7

8. The dawn of Agile 8 ▪ Shorter release cycles ▪

   Cross functional teams ▪ Smaller batch sizes

9. DEV X OPS 9

10. DEV X OPS 10

11. DevOps 11

12. 12 DevOps Culture Principles and Practices Processes Automated deployment pipeline

    Technologies Supporting tool chain

13. DevOps Pipeline

14. How to keep up with security? 14

15. DevSecOps Integrating security into Agile and DevOps 15

16. “ “DevSecOps enable organisations to deliver inherently secure software at

    DevOps scale and speed.” 16

17. Security Practice Checklist ✓ Verify for security Early and Often

    ✓ Parameterize Queries ✓ Encode data ✓ Validate All Inputs ✓ Implement Identity and Authentication Controls ✓ Implement Appropriate Access Controls ✓ Protect Data ✓ Implement Logging and Intrusion Detection ✓ Use security frameworks and libraries ✓ Error and Exception Handling

18. OWASP Top 10

19. Security Practice Checklist

20. DevSecOps

21. “ 21 DevOps security hooks

22. DevSecOps Trigger Points ✓ Static scanning during development ✓ Pull-requests:

    Static scans of data-flow, semantic and configurational ✓ Integration branch: Dynamic scanning ✓ QA Release Candidate Integration: Dynamic scanning ✓ Production Acceptance: Production-safe dynamic scanning ✓ Post-Production: RASP (Runtime Application Self-Protection), WAF (Web Application Firewalls) both need rules updated.

23. 23 DevSecOps Culture Principles and Practices Processes Automated deployment pipeline

    Technologies Supporting tool chain

24. Culture ▪ Communication and transparency ▪ Blameless postmortem ▪ Continuous

    improvement ▪ Everyone is responsible for security ▪ Automate as much as possible ▪ Everything as code

25. Processes Secure SDLC ▪ Training ▪ Requirements ▪ Architecture &

    Design ▪ Coding ▪ Testing ▪ Deployment ▪ Post deployment

26. Processes Security Pipeline ▪ Assessment of critical resource ▪ Reduce

    friction ▪ Increase visibility ▪ Each step repeatable ▪ Drive up dependency

27. Processes Security Pipeline

28. Technologies ▪ Requirements ▪ Code: IDE plugins, SAST ▪ Test:

    Gauntlt, DAST ▪ Configure: Sec as code ▪ Maintenance: Patch management ▪ Monitor: Auditing, Attack visibility

29. Questions? 29

30. Thank you very much for your time 30 You can

    find me at: ▪ br.linkedin.com/in/evandromohr ▪ t.me/phpcomrapadura