Slide 1

Slide 1 text

COMMUNITY DAY MENA Small Leap for Developer, Giant Leap for Security Why DevSecOps is More Important than Ever and How It’s Done

Slide 2

Slide 2 text

Renaldi Gondosubroto Founder and Developer Advocate @ GReS Studio @Renaldig @renaldigondosubroto COMMUNITY DAY MENA

Slide 3

Slide 3 text

COMMUNITY DAY MENA Agenda The DevSecOps Culture Secure Strategies Project Planning Collaborating on Security and Compliance Code as Security Designing a DevSecOps Workflow & Architecture Wrap-Up

Slide 4

Slide 4 text

COMMUNITY DAY MENA What’s Your Security Team Like? Compliance Officer Analyst Program Manager Developers?

Slide 5

Slide 5 text

COMMUNITY DAY MENA What is Your Culture? Principle of finding the balance between DevOps and security DevSecOps is about culture, not simply practice Everyone is responsible for security

Slide 6

Slide 6 text

COMMUNITY DAY MENA How DevOps is being Revamped and How it Fits into the Age of Covid-19 Monitoring and Analytics Monitoring and Analytics

Slide 7

Slide 7 text

COMMUNITY DAY MENA Strategies in creating a more secure environment • Decoupling • Encryption • Construction of a secure workflow

Slide 8

Slide 8 text

COMMUNITY DAY MENA Decoupling Presentation Layer Application Infrastructure Layer Frontend Route 53 S3 CloudFront VPC1 VPC2

Slide 9

Slide 9 text

COMMUNITY DAY MENA Project Planning Planning – Setting up roles with security at each step Requirements – Understanding the needs of the project Execution – Coding and deployment based on both dev and security needs Testing – Continual testing through the framework decided on Tracking – Monitoring metrics for success Update – Iteratively make adjustments as necessary

Slide 10

Slide 10 text

COMMUNITY DAY MENA Secure Planning for the Future • Establish objectives: Deploy collection of environmental data in a simple and secure environment • Ensure all team members understand controls behind the website (blur the line between security and DevOps) • Have developers think of mitigation ahead of time (Such as with reading OWASP top 10)

Slide 11

Slide 11 text

COMMUNITY DAY MENA Aspects of Security to Collaborate On

Slide 12

Slide 12 text

COMMUNITY DAY MENA Planning for Incident Response the DevSecOps Way • Have a think; what to assign for the security team to react to and what to assign for the developers to react to? • Plan the usage of continuous monitoring at every step of the way alongside encrypting and validating data logs • Third Party tools such as Opsgenie

Slide 13

Slide 13 text

COMMUNITY DAY MENA DevSecOps in Scrum in the Age of Covid-19 • It doesn’t have to be Agile vs DevSecOps • Getting security to be part of the conversation • Added to the three questions that may be asked, add a “Will there be any security concerns on the infrastructure?” • Iteratively adding monitoring metrics to services

Slide 14

Slide 14 text

COMMUNITY DAY MENA DevSecOps with CI/CD • Source, test, production • Make a checklist of services that each go through • Hardening on- and off-premises servers/artifacts Source Test Production

Slide 15

Slide 15 text

COMMUNITY DAY MENA The Art of Continuous Compliance – PCI DSS SNS CloudWatch ElastiCache Rekognition • Centralize monitoring, logging and alerts • Continuous implementation of Config rules

Slide 16

Slide 16 text

COMMUNITY DAY MENA Code as Security

Slide 17

Slide 17 text

COMMUNITY DAY MENA Automating with Simple Workflow Service Customer Set- Up Verify Device Charge Card for Plan Activate Data Plan Provide Access to Services End DynamoDB

Slide 18

Slide 18 text

COMMUNITY DAY MENA Automating with Simple Workflow Service Web Front End Decision Tasks Verification Tasks Set Up Access to Services Execution History Security Check Tasks Worker for verification Worker for Security Checks Worker for Setting Access to Services Decider Long poll Long poll Long poll Return results Return results Return results

Slide 19

Slide 19 text

COMMUNITY DAY MENA Creating a Secure Cloud Architecture CloudWatch CloudTrail Config DynamoDB Lambda CodePipeline Kinesis

Slide 20

Slide 20 text

COMMUNITY DAY MENA Utilizing Opsgenie

Slide 21

Slide 21 text

COMMUNITY DAY MENA Utilizing Opsgenie Cont.

Slide 22

Slide 22 text

COMMUNITY DAY MENA Utilizing Opsgenie Cont. in Slack

Slide 23

Slide 23 text

COMMUNITY DAY MENA If in Sprint, then evaluate how security went! • Product owners also care very much about the security • Evaluate against benchmarks (e.g. CIS Foundations) • Utilizing AWS Inspector • Evaluate tools

Slide 24

Slide 24 text

COMMUNITY DAY MENA Wrap-Up • It’s just an addition to the already working DevOps culture, but with a touch on security • Minimal costs • Will bring much benefits down the line • Bottom line: Crucial during the navigation of businesses through Covid-19

Slide 25

Slide 25 text

COMMUNITY DAY MENA Thank You! Connect with me Twitter Handle: @Renaldig LinkedIn: @renaldigondosubroto