Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps for the modern cloud era

2c8332d0def601c8ccfddd43d908a161?s=47 Gurucharan Subramani
February 01, 2020
Programming
0
14

DevSecOps for the modern cloud era

2c8332d0def601c8ccfddd43d908a161?s=128

Gurucharan Subramani

February 01, 2020
Tweet

More Decks by Gurucharan Subramani

See All by Gurucharan Subramani
2c8332d0def601c8ccfddd43d908a161?s=48 gurucharan94
0
59

Other Decks in Programming

See All in Programming
7b606c5039f083d13e2d2320ce6ddcfa?s=48 dqneo
0
160
4ab3fec3e82ddb19bcadd93ef909a443?s=48 syucream
4
1.5k
Ee398a67f5017cc2ad5c02d67d10e516?s=48 doyaaaaaken
1
340
7867fe52a9be4257508a516d4df61578?s=48 tkmnzm
1
250
D0a6969000c3715087b3a00abd646d20?s=48 timeseriesfr
0
150
Acd2f6f7498ea41881e161e191aa7c02?s=48 yattom
33
11k
E83cdc415df47ab3eae30957ae7e2d33?s=48 ykpythemind
0
160
C90bac78c0fb61105cfd8239767f903d?s=48 o0h
PRO
0
380
A0aae1297a0593c1316abdcdb4131e3a?s=48 toedter
0
140
5155c9bc5b30d9e2a8fd677695887861?s=48 kaonash
2
1.9k
B74ae56d7910fbe1dd685c999b8f9e31?s=48 shiba6v
0
210
7028eb7f1d5bf62b440e4e6894c4922c?s=48 bosshawk
1
280

Featured

See All Featured
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
242
21k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
119
16k
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
53
2.9k
78b475797a14c84799063c7cd073962f?s=48 holman
448
140k
24fc194843a71f10949be18d5a692682?s=48 gr2m
84
11k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
237
23k
39488f9d172ab92fd352f2cd7b73258d?s=48 mza
80
4.2k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
294
39k
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
330
15k
Ded01cdab114abe4ec13511e4c25b9bb?s=48 andyhume
64
3.8k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
220
15k
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
273
16k

Transcript

  1. Security Mindset : Actionable DevSecOps Guide for the brave new

    cloud era Gurucharan Subramani www.gurucharan.in

  2. ME !! MEEEEE !!! @gurucharan94 • I work at ABB.

    • IoT - Electric Transportation Charging Infra • Reduce C02 Emissions and fight climate change.

  3. @gurucharan94 Audience Survey • Did you make a new friend

    ?? • Developers ?? Operations ?? Security ?? • How many know Diffie-Hellman Key Exchange??

  4. DevSecOps @gurucharan94 Once upon a time…. • Silo teams –

    Dev / Test / Ops / Sec • Release every 3 months or longer. • Code freezes, hand offs and lot of emails. • On premises servers

  5. DevSecOps @gurucharan94 …. and that meant we ended up here.

  6. DevSecOps @gurucharan94 We partly solved the problem with the Cloud,

    DevOps and Continuous Delivery Principles.

  7. DevSecOps @gurucharan94 … but faster release cycles and the cloud

    adoption meant traditional security gates were becoming irrelevant.

  8. @gurucharan94 DevSecOps Code Build Unit Tests Test Env Integration Tests

    Security Tests Prod Let us find out how to go from here….. Code Build Unit Tests Integration Tests Prod Security Tests ….. to here

  9. @gurucharan94 DevSecOps and more importantly from here… to here…

  10. @gurucharan94 Secure Coding Practices Code Build Unit Tests Integration Tests

    Prod Security Tests

  11. @gurucharan94 DevSecOps What is vulnerable code ? • Allows SQL

    Injection, XSS etc. • OWASP and other vulnerabilities. • Hard coded credentials in code

  12. @gurucharan94 DevSecOps Where is the vulnerable piece of code ??

    • Code that my colleague writes • Open source software

  13. @gurucharan94 DevSecOps Static Code Analysis Visual Studio Extensions • Security

    Code Scan • SonarQube and SonarLint https://security-code-scan.github.io/ https://www.sonarlint.org/

  14. @gurucharan94 DevSecOps Managed Identity helps you avoid hardcode credentials in

    code https://devblogs.microsoft.com/visualstudio/managing-secrets-securely-in-the-cloud/

  15. @gurucharan94 DevSecOps State of the Software Supply Chain - Sonatype

  16. @gurucharan94 DevSecOps Scan for libraries with vulnerabilities • WhiteSource •

    OWASP Dependency Check • Nexus etc.

  17. @gurucharan94 Secure Infrastructure Practices Code Build Unit Tests Integration Tests

    Prod Security Tests

  18. @gurucharan94 DevSecOps Securing your Infrastructure • Pipeline Infra • Application

    Infra

  19. @gurucharan94 DevSecOps •HTTPS Everywhere •Protecting your pipelines •Principle of least

    privilege •Secure Communication – IoT Devices

  20. @gurucharan94 DevSecOps Shared Security Responsibility in the cloud https://docs.microsoft.com/en- us/azure/security/fundamentals/shared-responsibility

  21. @gurucharan94 DevSecOps AzSK – Secure DevOps Kit for Azure The

    Secure DevOps Kit for Azure is a PowerShell Module that tests the configuration of Azure resources for security and operational best practices. https://github.com/azsk/DevOpsKit

  22. @gurucharan94 DevSecOps AzSK – Secure DevOps Kit for Azure

  23. @gurucharan94 DevSecOps Assuming Breach • Red Teams and Pen Testing

    • Monitoring and Metrics • Incident Response Plan

  24. @gurucharan94 DevSecOps Recap – Secure Code • Static Code Analysis

    – SonarQube and VS extensions • Azure Key Vault and Managed Identity • OSS Vulnerability Scans - WhiteSource

  25. @gurucharan94 DevSecOps Recap – Secure Infra • Right access levels

    and permissions. • Secure Communication using HTTPS. • Shared Responsibility Model in the Cloud. • AzSK – Azure Security Kit

  26. @gurucharan94 How cyber aware are you?? • The first /

    last char in your office password is a number • Password Manager? • HIBP ?

  27. @gurucharan94 DON’T YOLO. BE CYBER AWARE. DON’T BE THE NEXT

    DATA BREACH.

  28. @gurucharan94 Let’s Connect www.gurucharan.in

  29. @gurucharan94 Thank You !!!