Contenu connexe
Similaire à Integrate Security and Compliance into your CI/CD Pipeline (20)
Plus de DevOps Indonesia (20)
Integrate Security and Compliance into your CI/CD Pipeline
- 3. Agenda
3 | ©2019 F5
• Intro
• DevOps&Automation
• WaterfallvsDevOps
• DevSecOpsPrinciple
• SecurityinthePipelineStage
• AdvancedWebApplicationFirewallInstrumentationforCI/CDPipeline
• F5AdvancedWebApplicationFirewall&Automation
• Demo
- 5. DevOps and Automation
• Automation is the ultimate need for DevOps practice and 'Automate
everything' is the key principle of DevOps.
• Automation speeds up and simplifies provisioning and configuring
systems, especially at scale way
5 | ©2019 F5
- 6. Security Should Be No Different
• DevOps adoption is increasing, but Security and Compliance
typically remain afterthoughts.
• Time is the essence in a continuous environment and manual
process of security can means preventing business
6 | ©2019 F5
- 7. Waterfall Approach
• Waiting until the system is designed and built
• Then trying to fit some security checks just before release
7 | ©2019 F5
- 8. DevOps Approach
OWASP Proactive Controls
https://www.owasp.org/index.php/OWASP_Proactive_Controls
8 | ©2019 F5
“Shift Security Left”
Security ToolChain must be :
• Automated
• Efficient
• Repeatable
• Easy to Use
- 10. Security in the Pipeline Stages
DEVELOP
DEPLOY OPERATION
INHERIT&
BUILD
10 | ©2019 F5
- 11. DEVELOP
DevSecOps Pipeline : Development
• Threat Modeling
• Development Standard
• Static CodeAnalysis
Static Code Analysis
Threat Modeling
• OWASP App Threat Modeling Cheat Sheet
• OWASP App Sec Verification Standard
• Mozilla Rapid Risk Assessment
Development Standard
• Secure coding practice
• Git-secret
• Git-hound
Open Source option
Commercial option CODE WARRIOR
11 | ©2019 F5
Language/Framework Tool
Ruby Brakeman
Java Web Apps Find Security Bugs
PHP Phan
Node NodeJsScan
Golang/Go GoSec
- 12. DevSecOps Pipeline : Inherit & Build
INHERIT &
BUILD
• Software CompositionAnalysis (SCA)
• Dependency Check
• Unit Test
Container Security
Software CompositionAnalysis
Open Source option
Commercial option
12 | ©2019 F5
- 13. DevSecOps Pipeline : Deploy
DEPLOY
• Performance & Load Testing
• DynamicAnalysis Security Testing (DAST) &
InteractiveApplication Security Testing (IAST)
• Compliance Check
• WAF Shielding
Open Source tool for Compliance Check
DAST & IAST
Open Source DAST Option
Commercial DAST Option
Automation Integration
Web Application Firewall
13 | ©2019 F5
- 15. SHIFTING LEFT
BUSINESS
REQUIREMENTS
CODING DESIGN TESTING PRODUCTION
• Something got blocked – inconsistency between development and production
• Delays in resolution awaiting SecOps response – no rollback
IT Security
(Traditional)
Common Business Perception
15 | ©2019 F5
Security is preventing business, breaking the app
- 16. • ProvidesAutomation
• Visibility (Metric Based):Attack Events, Attack Logs
• ProvidesAPI
• Promotes Learning
• AdvancedApplicationAttacks (Bot/Scraper, DoS)
WAFUSERNAME
Anti-Bot
16 | ©2019 F5 CONFIDENTIAL
Mobile
SDK
Mobile
Users
Attackers
Bots
APIs
Advanced Web Application Firewall Instrumentation
- 17. F5 Advanced Web Application Firewall and Automation
Inserting Automation of WAF in CI/CD Pipeline
• Faster and easier to deploy WAF with frictionless security controls &Automation
• Speed app WAF Policy deployment consistently and repeatability in declarative manner
• Integration with CI/CD ToolChains (ChatOps, SCM,Automation & Orchestration Tools,
ELK)
17 | ©2019 F5
- 18. Breaking Down
the Silos
Shifting Left Nurturing Security
Champions
Continuous Testing/
TestAutomation
Making the Secure
Path the Easy Path
Summary
18 | ©2019 F5
- 22. Alone We are smart, together We are brilliant
THANK YOU !
Quote by Steve Anderson