DevSecOps em Aplicações, Cloud, Artefatos

Transcript

1. @krol_valencia DevSecOps em Apps,Cloud, Artifatos

2. @krol_valencia Carol Valencia Solution Architect in in/carolgv krol3 @krol_valencia 2

3. @krol_valencia Devops

4. @krol_valencia Agile Transformati on 4 http://www.agilebuddha.com/agile/enterprise-agile-transformation-are-you-able-to-see-big-elephant/

5. @krol_valencia 5

6. @krol_valencia 6 https://infosecwriteups.com/why-am-i-rooting-for-a-new-category-in-owasp-top-10-2021-insecure-build-deployment-environment-e255242530e9

7. @krol_valencia 7

8. @krol_valencia 8

9. @krol_valencia Aplicações

10. @krol_valencia 10 https://holisticsecurity.io/2020/02/10/security-along-the-container-based-sdlc Secure SDLC

11. @krol_valencia 11 Source: Alessandra Martins

12. @krol_valencia 12 https://medium.com/ouspg/security-design-with-principles-a8c045765b93

13. @krol_valencia 13 https://www.redhat.com/pt-br/topics/devops/what-is-ci-cd

14. @krol_valencia 14 https://medium.com/hackernoon/delivery-pipelines-as-enabler-for-a-devops-culture-ebc45963f703

15. @krol_valencia 15 Alessandra Martins

16. @krol_valencia Testing

17. @krol_valencia 17 https://circleci.com/blog/how-to-test-software-part-ii-tdd-and-bdd/

18. @krol_valencia 18

19. “ @krol_valencia 19 Static program analysis is the analysis of

    computer software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing Wikipedia

20. @krol_valencia https://www.softwaresecured.com/what-do-sast-dast-iast-and-rasp-mean-to-developers/ 20

21. SCA: Source Code Analysis Source: https://www.linuxfoundation.org/open- source-management/2017/06/building-a- business-on-open-source/ https://resources.whitesourcesoftware.co m/blog-whitesource/sast-vs-sca

    21

22. @krol_valencia 22 OWASP Top 10

23. @krol_valencia 23

24. @krol_valencia Vulnerability https://www.first.org/cvss/calculator/3.0 24

25. @krol_valencia 25 DevSecOps State of the Union - RSAC

26. @krol_valencia Cloud

27. @krol_valencia 27 Cloud Service Models

28. @krol_valencia 28 https://blog.ine.com/13-effective-security-controls-in-microsoft-azure-for-iso-27001-compliance

29. @krol_valencia Security Responsability in the Cloud 29

30. @krol_valencia 1. Data Breaches 2. Misconfiguration 3. DDoS Attacks 4.

    Insufficient identity, credential, access and key management 5. Account hijacking 6. Man in the middle (MITM) 7 Insecure interfaces and APIs 8. Weak control plane 9. Limited cloud usage visibility 10. Abuse and nefarious use of cloud services Cloud Security Top threats 30

31. @krol_valencia Misconfigured Cloud Resources 31

32. @krol_valencia 32 Static Code Analysis for Infrastructure as Code

33. @krol_valencia 33 Salesforce/policy_sentry cloudsplaining Least Privilege Using Infrastructure as Code

34. @krol_valencia CIS Benchmar k OS - Configuration - Updates -

    Filesystem integrity - Boot settings Docker docker/docker- bench-security Kubernetes aquasecurity/kube -bench aquasecurity/kube -hunter 34

35. @krol_valencia There is synergy in combining CWPP and CSPM capabilities…

    that scans workloads and configurations in development and protect workloads and configurations at runtime CSPM DevSecOps CWPP 35 2020 Market Guide for CWPP, Apr. 2020, by Neil MacDonald and Tom Croll

36. @krol_valencia 36 • Gitlab: ◦ https://docs.gitlab.com/ee/user/application_security/sast/ ◦ https://docs.gitlab.com/ee/user/application_security/dast/ ◦ https://about.gitlab.com/blog/2019/08/12/developer-intro-

    sast-dast/ • Github: ◦ https://github.com/features/security ◦ https://help.github.com/en/github/managing-security- vulnerabilities • Node: https://owasp.org/www-project-node.js-goat/ • Go: https://github.com/OWASP/Go-SCP • Free for Open Source Application Security Tools: https://owasp.org/www- community/Free_for_Open_Source_Application_Security_Tools • DevSecOps list: https://github.com/krol3/devsecops-resources Resources

37. @krol_valencia Obrigada! Preguntas? 37 in/carolgv krol3 @krol_valencia