$30 off During Our Annual Pro Sale. View Details »

DevSecOps: Delivering secure software at speed and scale of DevOps

Evandro Mohr
June 08, 2019
Technology
0
180

DevSecOps: Delivering secure software at speed and scale of DevOps

Evandro Mohr

June 08, 2019
Tweet

More Decks by Evandro Mohr

See All by Evandro Mohr
DevSecOps: Criando uma Cultura shift left
evandromohr
0
110
Trabalhando com Escopo Aberto
evandromohr
1
83
Event-driven architecture
evandromohr
0
94
Hacking your PHP application
evandromohr
0
75
Event-Driven Architecture
evandromohr
1
130

Other Decks in Technology

See All in Technology
NIKKEI COMPASSの Stripe決済フローと決済高速化の方法/20231205-compass
nikkei_engineer_recruiting
1
210
GoのProtocプラグインを活用した効率的な負荷試験戦略 / Efficient Load Testing Strategies Utilizing the Go Protoc Plugin
biwashi
0
110
朝起こしてくれるメイドさんが欲しい (LT) - NIFTY Tech Day 2023
niftycorp
1
110
Kaggle Tokyo Meetup2023 CommonLit Solutionの紹介と考え方 - Fulltrain戦略と(Seed/Model)Ensembleの可視化 -
chumajin
2
1.1k
Honoが良さそう🔥
is_ryo
1
190
uGUI の自動操作の考え方と操作方法
orgachem
PRO
0
720
分散ストレージはすごいぞ
sat
PRO
1
360
開発組織の体制づくり、いつやるか問題
akiroom
0
1.9k
2023년의 딥러닝과 LLM 생태계
inureyes
PRO
0
740
LLMエンジニアリングを加速させるソフトウェアアーキテクチャ
tkikuchi1002
0
510
SOLID Is Dead, Long Live SOLID
lemiorhan
4
210
ROSCon 2023参加報告:Real-Time Workshop & Zenoh's Current Status and Forecast
takasehideki
1
220

Featured

See All Featured
WebSockets: Embracing the real-time Web
robhawkes
58
6.6k
Producing Creativity
orderedlist
PRO
335
38k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k
The Web Native Designer (August 2011)
paulrobertlloyd
78
2.7k
In The Pink: A Labor of Love
frogandcode
135
21k
Visualization
eitanlees
131
13k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
656
120k
Building Flexible Design Systems
yeseniaperezcruz
317
36k
Automating Front-end Workflow
addyosmani
1354
200k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
53
33k
Making the Leap to Tech Lead
cromwellryan
120
8.2k
Building Adaptive Systems
keathley
29
1.6k

Transcript

  1. DevSecOps
    Delivering secure
    software at speed and
    scale of DevOps.

    View Slide

  2. Evandro Mohr
    2
    Developer
    Pilot
    Professor
    Photographer

    View Slide


  3. “DevOps is not a goal, but a
    never-ending process of continual
    improvement”
    – Jez Humble
    3

    View Slide

  4. 4
    It’s all about
    bottlenecks

    View Slide

  5. Chaotic
    Model
    5
    Fix
    Build
    First steps is SDLC

    View Slide

  6. Waterfall
    Model
    6

    View Slide

  7. Waterfall
    Model ▪ Long release cycles.
    ▪ Functional silos
    ▪ Rigid
    ▪ Lot of WIP
    7

    View Slide

  8. The dawn of
    Agile
    8
    ▪ Shorter release cycles
    ▪ Cross functional teams
    ▪ Smaller batch sizes

    View Slide

  9. DEV
    X
    OPS
    9

    View Slide

  10. DEV
    X
    OPS
    10

    View Slide

  11. DevOps
    11

    View Slide

  12. 12
    DevOps Culture
    Principles and Practices
    Processes
    Automated deployment pipeline
    Technologies
    Supporting tool chain

    View Slide

  13. DevOps
    Pipeline

    View Slide

  14. How to keep
    up with
    security?
    14

    View Slide

  15. DevSecOps
    Integrating security into Agile and DevOps
    15

    View Slide


  16. “DevSecOps enable organisations to
    deliver inherently secure software at
    DevOps scale and speed.”
    16

    View Slide

  17. Security
    Practice
    Checklist
    ✓ Verify for security Early and Often
    ✓ Parameterize Queries
    ✓ Encode data
    ✓ Validate All Inputs
    ✓ Implement Identity and Authentication Controls
    ✓ Implement Appropriate Access Controls
    ✓ Protect Data
    ✓ Implement Logging and Intrusion Detection
    ✓ Use security frameworks and libraries
    ✓ Error and Exception Handling

    View Slide

  18. OWASP
    Top 10

    View Slide

  19. Security
    Practice
    Checklist

    View Slide

  20. DevSecOps

    View Slide


  21. 21
    DevOps security hooks

    View Slide

  22. DevSecOps
    Trigger
    Points
    ✓ Static scanning during development
    ✓ Pull-requests: Static scans of data-flow,
    semantic and configurational
    ✓ Integration branch: Dynamic scanning
    ✓ QA Release Candidate Integration: Dynamic
    scanning
    ✓ Production Acceptance: Production-safe
    dynamic scanning
    ✓ Post-Production: RASP (Runtime Application
    Self-Protection), WAF (Web Application
    Firewalls) both need rules updated.

    View Slide

  23. 23
    DevSecOps Culture
    Principles and Practices
    Processes
    Automated deployment pipeline
    Technologies
    Supporting tool chain

    View Slide

  24. Culture
    ▪ Communication and transparency
    ▪ Blameless postmortem
    ▪ Continuous improvement
    ▪ Everyone is responsible for security
    ▪ Automate as much as possible
    ▪ Everything as code

    View Slide

  25. Processes
    Secure SDLC
    ▪ Training
    ▪ Requirements
    ▪ Architecture & Design
    ▪ Coding
    ▪ Testing
    ▪ Deployment
    ▪ Post deployment

    View Slide

  26. Processes
    Security Pipeline ▪ Assessment of critical resource
    ▪ Reduce friction
    ▪ Increase visibility
    ▪ Each step repeatable
    ▪ Drive up dependency

    View Slide

  27. Processes
    Security Pipeline

    View Slide

  28. Technologies
    ▪ Requirements
    ▪ Code: IDE plugins, SAST
    ▪ Test: Gauntlt, DAST
    ▪ Configure: Sec as code
    ▪ Maintenance: Patch management
    ▪ Monitor: Auditing, Attack visibility

    View Slide

  29. Questions?
    29

    View Slide

  30. Thank you very much
    for your time
    30
    You can find me at:
    ▪ br.linkedin.com/in/evandromohr
    ▪ t.me/phpcomrapadura

    View Slide