DevSecOps

Transcript

1. DevSecOps If you know neither the enemy nor yourself, you

   will succumb in every battle. The Art of War by Sun Tzu

2. Nice to meet you YURY NIÑO DevOps and Software Engineer

   Chaos Engineer Advocate. Loves building software applications, automating process and solving resilience issues and teaching. Passionate about reading, writing and cycling.

3. Agenda • What is DevOps? • Why should we consider

   the security? • DevSecOps, SecDevOps … • How Can SecDevOps Be Implemented?

4. What is DevOps?

5. DevOps is finding more effective ways of using the power

   of automation, programmable configuration and the release automation to simplify and scale everything from design to build and deployment and operations. Taken from DevOpsSec by Jim Bird

6. I DevOps

7. DevOps is a Good Thing Amazon has thousands of small

   (“two pizza”) engineering teams working independently and continuously deploying changes across their infrastructure. In 2014, Amazon deployed 50 million changes! that’s more than one change deployed every second of every day. DevOps: Where No Man Has Gone Before
8. None
9. None

10. Microservices Vulnerabilities • Operational complexity. • Hard mapping traffic flows.

    • Polyglot programming problem. • Lack of activity logging strategy. Netflix Microservices Visualization Taken from Medium

11. Cloud Vulnerabilities • Data breaches. • Weak identity and accesses.

    • Insecure interfaces and APIs. • Account hijacking. • Data loss. • Abuse use of cloud services. • Shared technology issues.

12. Containers Vulnerabilities • Kernel exploit. • Denial of service attacks.

    • Container breakouts. • Untrusted registries and images.

13. Come on! We are Devs and DevOps! Hire a security

    guy ...

14. What is SecDevOps, DevSecOps, DevOpsSec or whatever you call it?

15. Security in DevOps • How can security possibly keep up

    with this rate of change? • How can we understand the risks? • What can we do when there is no time to do pen testing or audits? • Could we add a security sprint?

16. Dev[Sec]Ops is... empowered engineering teams taking ownership of how their

    product performs in production [including security] Taken from DevOpsSec by Jim Bird

17. SecDevOps — sometimes called “Rugged DevOps” — as a set

    of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes … It seeks to embed security inside the development process.

18. How Can SecDevOps Be Implemented?

19. • Verify for security early and often. • Implement authentication

    controls. • Implement logging and intrusion detection. • Take advantage of security frameworks and libraries. • Parameterize queries. • Encode data. • Validate all inputs. • Protect data.

20. Tooling • Automate security audits. • Detect security flaws. •

    Regularly break the build. • Have accurate audit report results. • Use real-time protection. • Focus on instrumentation.

21. Processes • Establish strong feedback loops. • Perform regular code

    audits. • Benchmark your performance. • Have documented procedures.

22. Culture • Engender a culture of openness. • Continuous learning.

    • Build strong feedback loops. • Nurture security evangelists. • Grow autonomy in every team.
23. None
24. None

25. Design, Implement and Test Software considering SECURITY! Planning to implement

    SecDevOps.
26. None

27. References