COMMUNITY DAY MENA Small Leap for Developer, Giant Leap for Security Why DevSecOps is More Important than Ever and How It’s Done

Renaldi Gondosubroto Founder and Developer Advocate @ GReS Studio @Renaldig @renaldigondosubroto COMMUNITY DAY MENA

COMMUNITY DAY MENA Agenda The DevSecOps Culture Secure Strategies Project Planning Collaborating on Security and Compliance Code as Security Designing a DevSecOps Workflow & Architecture Wrap-Up

COMMUNITY DAY MENA What’s Your Security Team Like? Compliance Officer Analyst Program Manager Developers?

COMMUNITY DAY MENA What is Your Culture? Principle of finding the balance between DevOps and security DevSecOps is about culture, not simply practice Everyone is responsible for security

COMMUNITY DAY MENA How DevOps is being Revamped and How it Fits into the Age of Covid-19 Monitoring and Analytics Monitoring and Analytics

COMMUNITY DAY MENA Strategies in creating a more secure environment • Decoupling • Encryption • Construction of a secure workflow

COMMUNITY DAY MENA Decoupling Presentation Layer Application Infrastructure Layer Frontend Route 53 S3 CloudFront VPC1 VPC2

COMMUNITY DAY MENA Project Planning Planning – Setting up roles with security at each step Requirements – Understanding the needs of the project Execution – Coding and deployment based on both dev and security needs Testing – Continual testing through the framework decided on Tracking – Monitoring metrics for success Update – Iteratively make adjustments as necessary

COMMUNITY DAY MENA Secure Planning for the Future • Establish objectives: Deploy collection of environmental data in a simple and secure environment • Ensure all team members understand controls behind the website (blur the line between security and DevOps) • Have developers think of mitigation ahead of time (Such as with reading OWASP top 10)

COMMUNITY DAY MENA Aspects of Security to Collaborate On

COMMUNITY DAY MENA Planning for Incident Response the DevSecOps Way • Have a think; what to assign for the security team to react to and what to assign for the developers to react to? • Plan the usage of continuous monitoring at every step of the way alongside encrypting and validating data logs • Third Party tools such as Opsgenie

COMMUNITY DAY MENA DevSecOps in Scrum in the Age of Covid-19 • It doesn’t have to be Agile vs DevSecOps • Getting security to be part of the conversation • Added to the three questions that may be asked, add a “Will there be any security concerns on the infrastructure?” • Iteratively adding monitoring metrics to services

COMMUNITY DAY MENA DevSecOps with CI/CD • Source, test, production • Make a checklist of services that each go through • Hardening on- and off-premises servers/artifacts Source Test Production

COMMUNITY DAY MENA The Art of Continuous Compliance – PCI DSS SNS CloudWatch ElastiCache Rekognition • Centralize monitoring, logging and alerts • Continuous implementation of Config rules

COMMUNITY DAY MENA Code as Security

COMMUNITY DAY MENA Automating with Simple Workflow Service Customer Set- Up Verify Device Charge Card for Plan Activate Data Plan Provide Access to Services End DynamoDB

COMMUNITY DAY MENA Automating with Simple Workflow Service Web Front End Decision Tasks Verification Tasks Set Up Access to Services Execution History Security Check Tasks Worker for verification Worker for Security Checks Worker for Setting Access to Services Decider Long poll Long poll Long poll Return results Return results Return results

COMMUNITY DAY MENA Creating a Secure Cloud Architecture CloudWatch CloudTrail Config DynamoDB Lambda CodePipeline Kinesis

COMMUNITY DAY MENA Utilizing Opsgenie

COMMUNITY DAY MENA Utilizing Opsgenie Cont.

COMMUNITY DAY MENA Utilizing Opsgenie Cont. in Slack

COMMUNITY DAY MENA If in Sprint, then evaluate how security went! • Product owners also care very much about the security • Evaluate against benchmarks (e.g. CIS Foundations) • Utilizing AWS Inspector • Evaluate tools

COMMUNITY DAY MENA Wrap-Up • It’s just an addition to the already working DevOps culture, but with a touch on security • Minimal costs • Will bring much benefits down the line • Bottom line: Crucial during the navigation of businesses through Covid-19

COMMUNITY DAY MENA Thank You! Connect with me Twitter Handle: @Renaldig LinkedIn: @renaldigondosubroto