Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps em Aplicações, Cloud, Artefatos

Carol
April 14, 2021
2
130

DevSecOps em Aplicações, Cloud, Artefatos

Desenvolvimento seguro no desenvolvimento de software. Aplicar segurança também na infraestrutura como código e outros artefatos das tecnologias que usamos.

Carol

April 14, 2021
Tweet

More Decks by Carol

See All by Carol
Contribute to translate K8s Docs, Glossary and CNCF-whitepaper
krol3
1
88
Vulnerabilities in Golang
krol3
0
14
Security in Cloud using Infrastructure as a Code (IaaS)
krol3
0
140
Compliance in Cloud Native
krol3
2
160
Security Opensource Tools in Cloud Native
krol3
1
180
Intro to Operators in Kubernetes
krol3
0
61
Container Security
krol3
4
260
Segurança em Kubernetes
krol3
1
190
Vault em Kubernetes
krol3
3
180

Featured

See All Featured
The Power of CSS Pseudo Elements
geoffreycrofte
62
5k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
21
1.4k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
We Have a Design System, Now What?
morganepeng
43
6.8k
Designing on Purpose - Digital PM Summit 2013
jponch
111
6.5k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
21
6.4k
From Idea to $5000 a Month in 5 Months
shpigford
378
45k
Into the Great Unknown - MozCon
thekraken
14
1k
Product Roadmaps are Hard
iamctodd
45
9.7k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
26
2.3k
The Language of Interfaces
destraynor
151
23k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
275
13k

Transcript

  1. @krol_valencia DevSecOps em Apps,Cloud, Artifatos

  2. @krol_valencia Carol Valencia Solution Architect in in/carolgv krol3 @krol_valencia 2

  3. @krol_valencia Devops

  4. @krol_valencia Agile Transformati on 4 http://www.agilebuddha.com/agile/enterprise-agile-transformation-are-you-able-to-see-big-elephant/

  5. @krol_valencia 5

  6. @krol_valencia 6 https://infosecwriteups.com/why-am-i-rooting-for-a-new-category-in-owasp-top-10-2021-insecure-build-deployment-environment-e255242530e9

  7. @krol_valencia 7

  8. @krol_valencia 8

  9. @krol_valencia Aplicações

  10. @krol_valencia 10 https://holisticsecurity.io/2020/02/10/security-along-the-container-based-sdlc Secure SDLC

  11. @krol_valencia 11 Source: Alessandra Martins

  12. @krol_valencia 12 https://medium.com/ouspg/security-design-with-principles-a8c045765b93

  13. @krol_valencia 13 https://www.redhat.com/pt-br/topics/devops/what-is-ci-cd

  14. @krol_valencia 14 https://medium.com/hackernoon/delivery-pipelines-as-enabler-for-a-devops-culture-ebc45963f703

  15. @krol_valencia 15 Alessandra Martins

  16. @krol_valencia Testing

  17. @krol_valencia 17 https://circleci.com/blog/how-to-test-software-part-ii-tdd-and-bdd/

  18. @krol_valencia 18

  19. “ @krol_valencia 19 Static program analysis is the analysis of

    computer software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing Wikipedia

  20. @krol_valencia https://www.softwaresecured.com/what-do-sast-dast-iast-and-rasp-mean-to-developers/ 20

  21. SCA: Source Code Analysis Source: https://www.linuxfoundation.org/open- source-management/2017/06/building-a- business-on-open-source/ https://resources.whitesourcesoftware.co m/blog-whitesource/sast-vs-sca

    21

  22. @krol_valencia 22 OWASP Top 10

  23. @krol_valencia 23

  24. @krol_valencia Vulnerability https://www.first.org/cvss/calculator/3.0 24

  25. @krol_valencia 25 DevSecOps State of the Union - RSAC

  26. @krol_valencia Cloud

  27. @krol_valencia 27 Cloud Service Models

  28. @krol_valencia 28 https://blog.ine.com/13-effective-security-controls-in-microsoft-azure-for-iso-27001-compliance

  29. @krol_valencia Security Responsability in the Cloud 29

  30. @krol_valencia 1. Data Breaches 2. Misconfiguration 3. DDoS Attacks 4.

    Insufficient identity, credential, access and key management 5. Account hijacking 6. Man in the middle (MITM) 7 Insecure interfaces and APIs 8. Weak control plane 9. Limited cloud usage visibility 10. Abuse and nefarious use of cloud services Cloud Security Top threats 30

  31. @krol_valencia Misconfigured Cloud Resources 31

  32. @krol_valencia 32 Static Code Analysis for Infrastructure as Code

  33. @krol_valencia 33 Salesforce/policy_sentry cloudsplaining Least Privilege Using Infrastructure as Code

  34. @krol_valencia CIS Benchmar k OS - Configuration - Updates -

    Filesystem integrity - Boot settings Docker docker/docker- bench-security Kubernetes aquasecurity/kube -bench aquasecurity/kube -hunter 34

  35. @krol_valencia There is synergy in combining CWPP and CSPM capabilities…

    that scans workloads and configurations in development and protect workloads and configurations at runtime CSPM DevSecOps CWPP 35 2020 Market Guide for CWPP, Apr. 2020, by Neil MacDonald and Tom Croll

  36. @krol_valencia 36 • Gitlab: ◦ https://docs.gitlab.com/ee/user/application_security/sast/ ◦ https://docs.gitlab.com/ee/user/application_security/dast/ ◦ https://about.gitlab.com/blog/2019/08/12/developer-intro-

    sast-dast/ • Github: ◦ https://github.com/features/security ◦ https://help.github.com/en/github/managing-security- vulnerabilities • Node: https://owasp.org/www-project-node.js-goat/ • Go: https://github.com/OWASP/Go-SCP • Free for Open Source Application Security Tools: https://owasp.org/www- community/Free_for_Open_Source_Application_Security_Tools • DevSecOps list: https://github.com/krol3/devsecops-resources Resources

  37. @krol_valencia Obrigada! Preguntas? 37 in/carolgv krol3 @krol_valencia