Tweet
Tweet

Slide 1

Slide 1 text

@krol_valencia DevSecOps em Apps,Cloud, Artifatos

Slide 2

Slide 2 text

@krol_valencia Carol Valencia Solution Architect in in/carolgv krol3 @krol_valencia 2

Slide 3

Slide 3 text

@krol_valencia Devops

Slide 4

Slide 4 text

@krol_valencia Agile Transformati on 4 http://www.agilebuddha.com/agile/enterprise-agile-transformation-are-you-able-to-see-big-elephant/

Slide 5

Slide 5 text

@krol_valencia 5

Slide 6

Slide 6 text

@krol_valencia 6 https://infosecwriteups.com/why-am-i-rooting-for-a-new-category-in-owasp-top-10-2021-insecure-build-deployment-environment-e255242530e9

Slide 7

Slide 7 text

@krol_valencia 7

Slide 8

Slide 8 text

@krol_valencia 8

Slide 9

Slide 9 text

@krol_valencia Aplicações

Slide 10

Slide 10 text

@krol_valencia 10 https://holisticsecurity.io/2020/02/10/security-along-the-container-based-sdlc Secure SDLC

Slide 11

Slide 11 text

@krol_valencia 11 Source: Alessandra Martins

Slide 12

Slide 12 text

@krol_valencia 12 https://medium.com/ouspg/security-design-with-principles-a8c045765b93

Slide 13

Slide 13 text

@krol_valencia 13 https://www.redhat.com/pt-br/topics/devops/what-is-ci-cd

Slide 14

Slide 14 text

@krol_valencia 14 https://medium.com/hackernoon/delivery-pipelines-as-enabler-for-a-devops-culture-ebc45963f703

Slide 15

Slide 15 text

@krol_valencia 15 Alessandra Martins

Slide 16

Slide 16 text

@krol_valencia Testing

Slide 17

Slide 17 text

@krol_valencia 17 https://circleci.com/blog/how-to-test-software-part-ii-tdd-and-bdd/

Slide 18

Slide 18 text

@krol_valencia 18

Slide 19

Slide 19 text

“ @krol_valencia 19 Static program analysis is the analysis of computer software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing Wikipedia

Slide 20

Slide 20 text

@krol_valencia https://www.softwaresecured.com/what-do-sast-dast-iast-and-rasp-mean-to-developers/ 20

Slide 21

Slide 21 text

SCA: Source Code Analysis Source: https://www.linuxfoundation.org/open- source-management/2017/06/building-a- business-on-open-source/ https://resources.whitesourcesoftware.co m/blog-whitesource/sast-vs-sca 21

Slide 22

Slide 22 text

@krol_valencia 22 OWASP Top 10

Slide 23

Slide 23 text

@krol_valencia 23

Slide 24

Slide 24 text

@krol_valencia Vulnerability https://www.first.org/cvss/calculator/3.0 24

Slide 25

Slide 25 text

@krol_valencia 25 DevSecOps State of the Union - RSAC

Slide 26

Slide 26 text

@krol_valencia Cloud

Slide 27

Slide 27 text

@krol_valencia 27 Cloud Service Models

Slide 28

Slide 28 text

@krol_valencia 28 https://blog.ine.com/13-effective-security-controls-in-microsoft-azure-for-iso-27001-compliance

Slide 29

Slide 29 text

@krol_valencia Security Responsability in the Cloud 29

Slide 30

Slide 30 text

@krol_valencia 1. Data Breaches 2. Misconfiguration 3. DDoS Attacks 4. Insufficient identity, credential, access and key management 5. Account hijacking 6. Man in the middle (MITM) 7 Insecure interfaces and APIs 8. Weak control plane 9. Limited cloud usage visibility 10. Abuse and nefarious use of cloud services Cloud Security Top threats 30

Slide 31

Slide 31 text

@krol_valencia Misconfigured Cloud Resources 31

Slide 32

Slide 32 text

@krol_valencia 32 Static Code Analysis for Infrastructure as Code

Slide 33

Slide 33 text

@krol_valencia 33 Salesforce/policy_sentry cloudsplaining Least Privilege Using Infrastructure as Code

Slide 34

Slide 34 text

@krol_valencia CIS Benchmar k OS - Configuration - Updates - Filesystem integrity - Boot settings Docker docker/docker- bench-security Kubernetes aquasecurity/kube -bench aquasecurity/kube -hunter 34

Slide 35

Slide 35 text

@krol_valencia There is synergy in combining CWPP and CSPM capabilities… that scans workloads and configurations in development and protect workloads and configurations at runtime CSPM DevSecOps CWPP 35 2020 Market Guide for CWPP, Apr. 2020, by Neil MacDonald and Tom Croll

Slide 36

Slide 36 text

@krol_valencia 36 ● Gitlab: ○ https://docs.gitlab.com/ee/user/application_security/sast/ ○ https://docs.gitlab.com/ee/user/application_security/dast/ ○ https://about.gitlab.com/blog/2019/08/12/developer-intro- sast-dast/ ● Github: ○ https://github.com/features/security ○ https://help.github.com/en/github/managing-security- vulnerabilities ● Node: https://owasp.org/www-project-node.js-goat/ ● Go: https://github.com/OWASP/Go-SCP ● Free for Open Source Application Security Tools: https://owasp.org/www- community/Free_for_Open_Source_Application_Security_Tools ● DevSecOps list: https://github.com/krol3/devsecops-resources Resources

Slide 37

Slide 37 text

@krol_valencia Obrigada! Preguntas? 37 in/carolgv krol3 @krol_valencia