DevSecOps for the modern cloud era

Transcript

1. Security Mindset : Actionable DevSecOps Guide for the brave new

   cloud era Gurucharan Subramani www.gurucharan.in

2. ME !! MEEEEE !!! @gurucharan94 • I work at ABB.

   • IoT - Electric Transportation Charging Infra • Reduce C02 Emissions and fight climate change.

3. @gurucharan94 Audience Survey • Did you make a new friend

   ?? • Developers ?? Operations ?? Security ?? • How many know Diffie-Hellman Key Exchange??

4. DevSecOps @gurucharan94 Once upon a time…. • Silo teams –

   Dev / Test / Ops / Sec • Release every 3 months or longer. • Code freezes, hand offs and lot of emails. • On premises servers

5. DevSecOps @gurucharan94 …. and that meant we ended up here.

6. DevSecOps @gurucharan94 We partly solved the problem with the Cloud,

   DevOps and Continuous Delivery Principles.

7. DevSecOps @gurucharan94 … but faster release cycles and the cloud

   adoption meant traditional security gates were becoming irrelevant.

8. @gurucharan94 DevSecOps Code Build Unit Tests Test Env Integration Tests

   Security Tests Prod Let us find out how to go from here….. Code Build Unit Tests Integration Tests Prod Security Tests ….. to here

9. @gurucharan94 DevSecOps and more importantly from here… to here…

10. @gurucharan94 Secure Coding Practices Code Build Unit Tests Integration Tests

    Prod Security Tests

11. @gurucharan94 DevSecOps What is vulnerable code ? • Allows SQL

    Injection, XSS etc. • OWASP and other vulnerabilities. • Hard coded credentials in code

12. @gurucharan94 DevSecOps Where is the vulnerable piece of code ??

    • Code that my colleague writes • Open source software

13. @gurucharan94 DevSecOps Static Code Analysis Visual Studio Extensions • Security

    Code Scan • SonarQube and SonarLint https://security-code-scan.github.io/ https://www.sonarlint.org/

14. @gurucharan94 DevSecOps Managed Identity helps you avoid hardcode credentials in

    code https://devblogs.microsoft.com/visualstudio/managing-secrets-securely-in-the-cloud/

15. @gurucharan94 DevSecOps State of the Software Supply Chain - Sonatype

16. @gurucharan94 DevSecOps Scan for libraries with vulnerabilities • WhiteSource •

    OWASP Dependency Check • Nexus etc.

17. @gurucharan94 Secure Infrastructure Practices Code Build Unit Tests Integration Tests

    Prod Security Tests

18. @gurucharan94 DevSecOps Securing your Infrastructure • Pipeline Infra • Application

    Infra

19. @gurucharan94 DevSecOps •HTTPS Everywhere •Protecting your pipelines •Principle of least

    privilege •Secure Communication – IoT Devices

20. @gurucharan94 DevSecOps Shared Security Responsibility in the cloud https://docs.microsoft.com/en- us/azure/security/fundamentals/shared-responsibility

21. @gurucharan94 DevSecOps AzSK – Secure DevOps Kit for Azure The

    Secure DevOps Kit for Azure is a PowerShell Module that tests the configuration of Azure resources for security and operational best practices. https://github.com/azsk/DevOpsKit

22. @gurucharan94 DevSecOps AzSK – Secure DevOps Kit for Azure

23. @gurucharan94 DevSecOps Assuming Breach • Red Teams and Pen Testing

    • Monitoring and Metrics • Incident Response Plan

24. @gurucharan94 DevSecOps Recap – Secure Code • Static Code Analysis

    – SonarQube and VS extensions • Azure Key Vault and Managed Identity • OSS Vulnerability Scans - WhiteSource

25. @gurucharan94 DevSecOps Recap – Secure Infra • Right access levels

    and permissions. • Secure Communication using HTTPS. • Shared Responsibility Model in the Cloud. • AzSK – Azure Security Kit

26. @gurucharan94 How cyber aware are you?? • The first /

    last char in your office password is a number • Password Manager? • HIBP ?

27. @gurucharan94 DON’T YOLO. BE CYBER AWARE. DON’T BE THE NEXT

    DATA BREACH.

28. @gurucharan94 Let’s Connect www.gurucharan.in

29. @gurucharan94 Thank You !!!