DevSecOps: Delivering secure software at speed and scale of DevOps

Slide 1

Slide 1 text

DevSecOps Delivering secure software at speed and scale of DevOps.

Slide 2

Slide 2 text

Evandro Mohr 2 Developer Pilot Professor Photographer

Slide 3

Slide 3 text

“ “DevOps is not a goal, but a never-ending process of continual improvement” – Jez Humble 3

Slide 4

Slide 4 text

4 It’s all about bottlenecks

Slide 5

Slide 5 text

Chaotic Model 5 Fix Build First steps is SDLC

Slide 6

Slide 6 text

Waterfall Model 6

Slide 7

Slide 7 text

Waterfall Model ▪ Long release cycles. ▪ Functional silos ▪ Rigid ▪ Lot of WIP 7

Slide 8

Slide 8 text

The dawn of Agile 8 ▪ Shorter release cycles ▪ Cross functional teams ▪ Smaller batch sizes

Slide 9

Slide 9 text

DEV X OPS 9

Slide 10

Slide 10 text

DEV X OPS 10

Slide 11

Slide 11 text

DevOps 11

Slide 12

Slide 12 text

12 DevOps Culture Principles and Practices Processes Automated deployment pipeline Technologies Supporting tool chain

Slide 13

Slide 13 text

DevOps Pipeline

Slide 14

Slide 14 text

How to keep up with security? 14

Slide 15

Slide 15 text

DevSecOps Integrating security into Agile and DevOps 15

Slide 16

Slide 16 text

“ “DevSecOps enable organisations to deliver inherently secure software at DevOps scale and speed.” 16

Slide 17

Slide 17 text

Security Practice Checklist ✓ Verify for security Early and Often ✓ Parameterize Queries ✓ Encode data ✓ Validate All Inputs ✓ Implement Identity and Authentication Controls ✓ Implement Appropriate Access Controls ✓ Protect Data ✓ Implement Logging and Intrusion Detection ✓ Use security frameworks and libraries ✓ Error and Exception Handling

Slide 18

Slide 18 text

OWASP Top 10

Slide 19

Slide 19 text

Security Practice Checklist

Slide 20

Slide 20 text

DevSecOps

Slide 21

Slide 21 text

“ 21 DevOps security hooks

Slide 22

Slide 22 text

DevSecOps Trigger Points ✓ Static scanning during development ✓ Pull-requests: Static scans of data-ﬂow, semantic and conﬁgurational ✓ Integration branch: Dynamic scanning ✓ QA Release Candidate Integration: Dynamic scanning ✓ Production Acceptance: Production-safe dynamic scanning ✓ Post-Production: RASP (Runtime Application Self-Protection), WAF (Web Application Firewalls) both need rules updated.

Slide 23

Slide 23 text

23 DevSecOps Culture Principles and Practices Processes Automated deployment pipeline Technologies Supporting tool chain

Slide 24

Slide 24 text

Culture ▪ Communication and transparency ▪ Blameless postmortem ▪ Continuous improvement ▪ Everyone is responsible for security ▪ Automate as much as possible ▪ Everything as code

Slide 25

Slide 25 text

Processes Secure SDLC ▪ Training ▪ Requirements ▪ Architecture & Design ▪ Coding ▪ Testing ▪ Deployment ▪ Post deployment

Slide 26

Slide 26 text

Processes Security Pipeline ▪ Assessment of critical resource ▪ Reduce friction ▪ Increase visibility ▪ Each step repeatable ▪ Drive up dependency

Slide 27

Slide 27 text

Processes Security Pipeline

Slide 28

Slide 28 text

Technologies ▪ Requirements ▪ Code: IDE plugins, SAST ▪ Test: Gauntlt, DAST ▪ Conﬁgure: Sec as code ▪ Maintenance: Patch management ▪ Monitor: Auditing, Attack visibility

Slide 29

Slide 29 text

Questions? 29

Slide 30

Slide 30 text

Thank you very much for your time 30 You can ﬁnd me at: ▪ br.linkedin.com/in/evandromohr ▪ t.me/phpcomrapadura