SlideShare une entreprise Scribd logo

Integrate Security and Compliance into your CI/CD Pipeline

DevOps Indonesia
DevOps Indonesia

Integrate Security and Compliance into your CI/CD Pipeline By Mr. Fauzi Ramadhan

Technologie
1  sur  22
Télécharger pour lire hors ligne
PAGE 1 DEVOPS INDONESIA Fauzi Ramadhan DevOps Community in Indonesia Jakarta, 18 Desember 2019 Integrating Security and Compliance into CI/CD Pipeline
Integrating Security and Compliance into CI/CD Pipeline JAKARTA ● DECEMBER 18
Agenda 3 | ©2019 F5 • Intro • DevOps&Automation • WaterfallvsDevOps • DevSecOpsPrinciple • SecurityinthePipelineStage • AdvancedWebApplicationFirewallInstrumentationforCI/CDPipeline • F5AdvancedWebApplicationFirewall&Automation • Demo
DEVELOPMENTOPERATIONS 4 | ©2019 F5
DevOps and Automation • Automation is the ultimate need for DevOps practice and 'Automate everything' is the key principle of DevOps. • Automation speeds up and simplifies provisioning and configuring systems, especially at scale way 5 | ©2019 F5
Security Should Be No Different • DevOps adoption is increasing, but Security and Compliance typically remain afterthoughts. • Time is the essence in a continuous environment and manual process of security can means preventing business 6 | ©2019 F5
Waterfall Approach • Waiting until the system is designed and built • Then trying to fit some security checks just before release 7 | ©2019 F5
DevOps Approach OWASP Proactive Controls https://www.owasp.org/index.php/OWASP_Proactive_Controls 8 | ©2019 F5 “Shift Security Left” Security ToolChain must be : • Automated • Efficient • Repeatable • Easy to Use
DevSecOps Principles Breaking Down the Silos Shifting Left Nurturing Security Champions Continuous Testing/ TestAutomation Making the Secure Path the Easy Path 9 | ©2019 F5
Security in the Pipeline Stages DEVELOP DEPLOY OPERATION INHERIT& BUILD 10 | ©2019 F5
DEVELOP DevSecOps Pipeline : Development • Threat Modeling • Development Standard • Static CodeAnalysis Static Code Analysis Threat Modeling • OWASP App Threat Modeling Cheat Sheet • OWASP App Sec Verification Standard • Mozilla Rapid Risk Assessment Development Standard • Secure coding practice • Git-secret • Git-hound Open Source option Commercial option CODE WARRIOR 11 | ©2019 F5 Language/Framework Tool Ruby Brakeman Java Web Apps Find Security Bugs PHP Phan Node NodeJsScan Golang/Go GoSec
DevSecOps Pipeline : Inherit & Build INHERIT & BUILD • Software CompositionAnalysis (SCA) • Dependency Check • Unit Test Container Security Software CompositionAnalysis Open Source option Commercial option 12 | ©2019 F5
DevSecOps Pipeline : Deploy DEPLOY • Performance & Load Testing • DynamicAnalysis Security Testing (DAST) & InteractiveApplication Security Testing (IAST) • Compliance Check • WAF Shielding Open Source tool for Compliance Check DAST & IAST Open Source DAST Option Commercial DAST Option Automation Integration Web Application Firewall 13 | ©2019 F5
WAFUSERNAME Anti-Bot Mobile SDK Mobile Users Attackers Bots APIs OPERATION 14 | ©2019 F5 • WebApplication Firewall WAF Shielding • Security Orchestration DevSecOps Pipeline : Operation
SHIFTING LEFT BUSINESS REQUIREMENTS CODING DESIGN TESTING PRODUCTION • Something got blocked – inconsistency between development and production • Delays in resolution awaiting SecOps response – no rollback IT Security (Traditional) Common Business Perception 15 | ©2019 F5 Security is preventing business, breaking the app
• ProvidesAutomation • Visibility (Metric Based):Attack Events, Attack Logs • ProvidesAPI • Promotes Learning • AdvancedApplicationAttacks (Bot/Scraper, DoS) WAFUSERNAME Anti-Bot 16 | ©2019 F5 CONFIDENTIAL Mobile SDK Mobile Users Attackers Bots APIs Advanced Web Application Firewall Instrumentation
F5 Advanced Web Application Firewall and Automation Inserting Automation of WAF in CI/CD Pipeline • Faster and easier to deploy WAF with frictionless security controls &Automation • Speed app WAF Policy deployment consistently and repeatability in declarative manner • Integration with CI/CD ToolChains (ChatOps, SCM,Automation & Orchestration Tools, ELK) 17 | ©2019 F5
Breaking Down the Silos Shifting Left Nurturing Security Champions Continuous Testing/ TestAutomation Making the Secure Path the Easy Path Summary 18 | ©2019 F5
SECURITY DEVELOPMENTOPERATIONS 19 | ©2019 F5 Increasing Collaboration and Feedback Between SecOps and DevOps Building Collaboration
Stay Connected @IDDevOps http://www.devopsindonesia.com @IDDevOps DevOps Indonesia @devopsindonesia
Alone We are smart, together We are brilliant THANK YOU ! Quote by Steve Anderson

Recommandé

A sustainable DevOps Transformation
A sustainable DevOps TransformationA sustainable DevOps Transformation
A sustainable DevOps Transformation
DevOps Indonesia
 
How DevOps works in MOKA
How DevOps works in MOKAHow DevOps works in MOKA
How DevOps works in MOKA
DevOps Indonesia
 
Modern App Architecture - Microservices, API Friendly
Modern App Architecture - Microservices, API FriendlyModern App Architecture - Microservices, API Friendly
Modern App Architecture - Microservices, API Friendly
DevOps Indonesia
 
Building and Delivering Software in a Faster and More Consistent Way
Building and Delivering Software in a Faster and More Consistent WayBuilding and Delivering Software in a Faster and More Consistent Way
Building and Delivering Software in a Faster and More Consistent Way
DevOps Indonesia
 
Api Lifecycle Operation with Open Source Products
Api Lifecycle Operation with Open Source ProductsApi Lifecycle Operation with Open Source Products
Api Lifecycle Operation with Open Source Products
DevOps Indonesia
 
Enabing DevOps in an SDN World
Enabing DevOps in an SDN WorldEnabing DevOps in an SDN World
Enabing DevOps in an SDN World
Cisco DevNet
 
Latest dev ops trends in 2021 you should know
Latest dev ops trends in 2021 you should knowLatest dev ops trends in 2021 you should know
Latest dev ops trends in 2021 you should know
Impressico Business Solutions
 
CI/CD (DevOps) 101
CI/CD (DevOps) 101CI/CD (DevOps) 101
CI/CD (DevOps) 101
Hazzim Anaya
 

Recommandé

A sustainable DevOps Transformation
A sustainable DevOps TransformationA sustainable DevOps Transformation
A sustainable DevOps Transformation
DevOps Indonesia
 
How DevOps works in MOKA
How DevOps works in MOKAHow DevOps works in MOKA
How DevOps works in MOKA
DevOps Indonesia
 
Modern App Architecture - Microservices, API Friendly
Modern App Architecture - Microservices, API FriendlyModern App Architecture - Microservices, API Friendly
Modern App Architecture - Microservices, API Friendly
DevOps Indonesia
 
Building and Delivering Software in a Faster and More Consistent Way
Building and Delivering Software in a Faster and More Consistent WayBuilding and Delivering Software in a Faster and More Consistent Way
Building and Delivering Software in a Faster and More Consistent Way
DevOps Indonesia
 
Api Lifecycle Operation with Open Source Products
Api Lifecycle Operation with Open Source ProductsApi Lifecycle Operation with Open Source Products
Api Lifecycle Operation with Open Source Products
DevOps Indonesia
 
Enabing DevOps in an SDN World
Enabing DevOps in an SDN WorldEnabing DevOps in an SDN World
Enabing DevOps in an SDN World
Cisco DevNet
 
Latest dev ops trends in 2021 you should know
Latest dev ops trends in 2021 you should knowLatest dev ops trends in 2021 you should know
Latest dev ops trends in 2021 you should know
Impressico Business Solutions
 
CI/CD (DevOps) 101
CI/CD (DevOps) 101CI/CD (DevOps) 101
CI/CD (DevOps) 101
Hazzim Anaya
 
DevOps Indonesia "Going deeper into Jenkins, Docker and even more" - Announce...
DevOps Indonesia "Going deeper into Jenkins, Docker and even more" - Announce...DevOps Indonesia "Going deeper into Jenkins, Docker and even more" - Announce...
DevOps Indonesia "Going deeper into Jenkins, Docker and even more" - Announce...
DevOps Indonesia
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
The DevOps Journey in an Enterprise - DOES 2021
The DevOps Journey in an Enterprise - DOES 2021The DevOps Journey in an Enterprise - DOES 2021
The DevOps Journey in an Enterprise - DOES 2021
Anders Lundsgård
 
Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
CI/CD on Google Cloud Platform
CI/CD on Google Cloud PlatformCI/CD on Google Cloud Platform
CI/CD on Google Cloud Platform
DevOps Indonesia
 
DevOps Indonesia with F5 - Announcement
DevOps Indonesia with F5 - AnnouncementDevOps Indonesia with F5 - Announcement
DevOps Indonesia with F5 - Announcement
DevOps Indonesia
 
How Azure DevOps can boost your organization's productivity
How Azure DevOps can boost your organization's productivityHow Azure DevOps can boost your organization's productivity
How Azure DevOps can boost your organization's productivity
Ivan Porta
 
Code to Cloud: Three Trends for Faster, Safer Continuous Delivery
Code to Cloud: Three Trends for Faster, Safer Continuous DeliveryCode to Cloud: Three Trends for Faster, Safer Continuous Delivery
Code to Cloud: Three Trends for Faster, Safer Continuous Delivery
VMware Tanzu
 
Code Coverage - A Dump Metric
Code Coverage - A Dump MetricCode Coverage - A Dump Metric
Code Coverage - A Dump Metric
DevOps Indonesia
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Vimal Suba
 
Devops with Alibaba Cloud
Devops with Alibaba CloudDevops with Alibaba Cloud
Devops with Alibaba Cloud
gavaskar s
 
Leveraging HybridMultiCloud for Devops and Automation Platform
Leveraging HybridMultiCloud for Devops and Automation PlatformLeveraging HybridMultiCloud for Devops and Automation Platform
Leveraging HybridMultiCloud for Devops and Automation Platform
DevOps Indonesia
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
Jules Pierre-Louis
 
Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack
Deborah Schalm
 
Service Operations Transformation Journey
Service Operations Transformation JourneyService Operations Transformation Journey
Service Operations Transformation Journey
DevOps Indonesia
 
A Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled TeamA Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled Team
Deborah Schalm
 
Software development in the modern age
Software development in the modern ageSoftware development in the modern age
Software development in the modern age
Roy Wasse
 
The Business Benefits of GitOps
The Business Benefits of GitOpsThe Business Benefits of GitOps
The Business Benefits of GitOps
VMware Tanzu
 
DevOps in the Real World: Know What it Takes to Make it Work
DevOps in the Real World: Know What it Takes to Make it WorkDevOps in the Real World: Know What it Takes to Make it Work
DevOps in the Real World: Know What it Takes to Make it Work
VMware Tanzu
 
BizDevOps Transformation, Metrics and Microservices at Scania, June 2017 in L...
BizDevOps Transformation, Metrics and Microservices at Scania, June 2017 in L...BizDevOps Transformation, Metrics and Microservices at Scania, June 2017 in L...
BizDevOps Transformation, Metrics and Microservices at Scania, June 2017 in L...
Anders Lundsgård
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 

Contenu connexe

Tendances

CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
Code to Cloud: Three Trends for Faster, Safer Continuous Delivery
Code to Cloud: Three Trends for Faster, Safer Continuous DeliveryCode to Cloud: Three Trends for Faster, Safer Continuous Delivery
Code to Cloud: Three Trends for Faster, Safer Continuous Delivery
VMware Tanzu
 
Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack
Deborah Schalm
 
A Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled TeamA Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled Team
Deborah Schalm
 

Tendances (20)

DevOps Indonesia "Going deeper into Jenkins, Docker and even more" - Announce...
DevOps Indonesia "Going deeper into Jenkins, Docker and even more" - Announce...DevOps Indonesia "Going deeper into Jenkins, Docker and even more" - Announce...
DevOps Indonesia "Going deeper into Jenkins, Docker and even more" - Announce...
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
 
The DevOps Journey in an Enterprise - DOES 2021
The DevOps Journey in an Enterprise - DOES 2021The DevOps Journey in an Enterprise - DOES 2021
The DevOps Journey in an Enterprise - DOES 2021
 
Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
 
CI/CD on Google Cloud Platform
CI/CD on Google Cloud PlatformCI/CD on Google Cloud Platform
CI/CD on Google Cloud Platform
 
DevOps Indonesia with F5 - Announcement
DevOps Indonesia with F5 - AnnouncementDevOps Indonesia with F5 - Announcement
DevOps Indonesia with F5 - Announcement
 
How Azure DevOps can boost your organization's productivity
How Azure DevOps can boost your organization's productivityHow Azure DevOps can boost your organization's productivity
How Azure DevOps can boost your organization's productivity
 
Code to Cloud: Three Trends for Faster, Safer Continuous Delivery
Code to Cloud: Three Trends for Faster, Safer Continuous DeliveryCode to Cloud: Three Trends for Faster, Safer Continuous Delivery
Code to Cloud: Three Trends for Faster, Safer Continuous Delivery
 
Code Coverage - A Dump Metric
Code Coverage - A Dump MetricCode Coverage - A Dump Metric
Code Coverage - A Dump Metric
 
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
Cloud and Network Transformation using DevOps methodology : Cisco Live 2015
 
Devops with Alibaba Cloud
Devops with Alibaba CloudDevops with Alibaba Cloud
Devops with Alibaba Cloud
 
Leveraging HybridMultiCloud for Devops and Automation Platform
Leveraging HybridMultiCloud for Devops and Automation PlatformLeveraging HybridMultiCloud for Devops and Automation Platform
Leveraging HybridMultiCloud for Devops and Automation Platform
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
 
Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack Full Spectrum Engineering – The New Full-stack
Full Spectrum Engineering – The New Full-stack
 
Service Operations Transformation Journey
Service Operations Transformation JourneyService Operations Transformation Journey
Service Operations Transformation Journey
 
A Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled TeamA Day in the Life of a Cross-platform, DevOps-enabled Team
A Day in the Life of a Cross-platform, DevOps-enabled Team
 
Software development in the modern age
Software development in the modern ageSoftware development in the modern age
Software development in the modern age
 
The Business Benefits of GitOps
The Business Benefits of GitOpsThe Business Benefits of GitOps
The Business Benefits of GitOps
 
DevOps in the Real World: Know What it Takes to Make it Work
DevOps in the Real World: Know What it Takes to Make it WorkDevOps in the Real World: Know What it Takes to Make it Work
DevOps in the Real World: Know What it Takes to Make it Work
 
BizDevOps Transformation, Metrics and Microservices at Scania, June 2017 in L...
BizDevOps Transformation, Metrics and Microservices at Scania, June 2017 in L...BizDevOps Transformation, Metrics and Microservices at Scania, June 2017 in L...
BizDevOps Transformation, Metrics and Microservices at Scania, June 2017 in L...
 

Similaire à Integrate Security and Compliance into your CI/CD Pipeline

Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
DevOps.com
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineScale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
DevOps.com
 
Delivering Applications Continuously to Cloud
Delivering Applications Continuously to CloudDelivering Applications Continuously to Cloud
Delivering Applications Continuously to Cloud
IBM UrbanCode Products
 
IBM Pulse session 2727: Continuous delivery -accelerated with DevOps
IBM Pulse session 2727: Continuous delivery -accelerated with DevOpsIBM Pulse session 2727: Continuous delivery -accelerated with DevOps
IBM Pulse session 2727: Continuous delivery -accelerated with DevOps
Sanjeev Sharma
 
Get the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXGet the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINX
NGINX, Inc.
 
Challenges Scaling DevOps
Challenges Scaling DevOpsChallenges Scaling DevOps
Challenges Scaling DevOps
Rachel Maxwell
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 

Similaire à Integrate Security and Compliance into your CI/CD Pipeline (20)

Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
 
DevOps - What is | Advantages | Challenges | DevSecOps | Capabilities
DevOps - What is | Advantages | Challenges | DevSecOps | CapabilitiesDevOps - What is | Advantages | Challenges | DevSecOps | Capabilities
DevOps - What is | Advantages | Challenges | DevSecOps | Capabilities
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Cloud With DevOps Enabling Rapid Business Development
Cloud With DevOps Enabling Rapid Business DevelopmentCloud With DevOps Enabling Rapid Business Development
Cloud With DevOps Enabling Rapid Business Development
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
 
Scale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration PipelineScale DevSecOps with your Continuous Integration Pipeline
Scale DevSecOps with your Continuous Integration Pipeline
 
Cloud Adoption - A Practical Approach
Cloud Adoption - A Practical ApproachCloud Adoption - A Practical Approach
Cloud Adoption - A Practical Approach
 
Delivering Applications Continuously to Cloud
Delivering Applications Continuously to CloudDelivering Applications Continuously to Cloud
Delivering Applications Continuously to Cloud
 
IBM Pulse session 2727: Continuous delivery -accelerated with DevOps
IBM Pulse session 2727: Continuous delivery -accelerated with DevOpsIBM Pulse session 2727: Continuous delivery -accelerated with DevOps
IBM Pulse session 2727: Continuous delivery -accelerated with DevOps
 
Get the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXGet the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINX
 
A DevOps adoption playbook- achieving business value at scale
A DevOps adoption playbook- achieving business value at scaleA DevOps adoption playbook- achieving business value at scale
A DevOps adoption playbook- achieving business value at scale
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-Service
 
Challenges Scaling DevOps
Challenges Scaling DevOpsChallenges Scaling DevOps
Challenges Scaling DevOps
 
Innovations @ Neev
Innovations @ NeevInnovations @ Neev
Innovations @ Neev
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev ops
 
Cloud Foundry May 1 2014
Cloud Foundry May 1 2014Cloud Foundry May 1 2014
Cloud Foundry May 1 2014
 
F5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 RoadshowF5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 Roadshow
 
DevOps in the Hybrid Cloud
DevOps in the Hybrid CloudDevOps in the Hybrid Cloud
DevOps in the Hybrid Cloud
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 

Plus de DevOps Indonesia

API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential Stuffing
DevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsAPI Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 

Plus de DevOps Indonesia (20)

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8s
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systems
 
DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcementDevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcement
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - AnnouncementDev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
 
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - AnnouncementDevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - Announcement
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps IndonesiaDevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
 
Operate Containers with AWS Copilot
Operate Containers with AWS CopilotOperate Containers with AWS Copilot
Operate Containers with AWS Copilot
 
Continuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barusContinuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barus
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
 
Securing Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsSecuring Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB Credentials
 
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - AnnouncementDevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - Announcement
 
The Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOpsThe Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOps
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential Stuffing
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsAPI Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIs
 
API Security Webinar - Hendra Tanto
API Security Webinar - Hendra TantoAPI Security Webinar - Hendra Tanto
API Security Webinar - Hendra Tanto
 
API Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingAPI Security Webinar : Credential Stuffing
API Security Webinar : Credential Stuffing
 

Dernier

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Dernier (20)

ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Integrate Security and Compliance into your CI/CD Pipeline

  • 1. PAGE 1 DEVOPS INDONESIA Fauzi Ramadhan DevOps Community in Indonesia Jakarta, 18 Desember 2019 Integrating Security and Compliance into CI/CD Pipeline
  • 2. Integrating Security and Compliance into CI/CD Pipeline JAKARTA ● DECEMBER 18
  • 3. Agenda 3 | ©2019 F5 • Intro • DevOps&Automation • WaterfallvsDevOps • DevSecOpsPrinciple • SecurityinthePipelineStage • AdvancedWebApplicationFirewallInstrumentationforCI/CDPipeline • F5AdvancedWebApplicationFirewall&Automation • Demo
  • 5. DevOps and Automation • Automation is the ultimate need for DevOps practice and 'Automate everything' is the key principle of DevOps. • Automation speeds up and simplifies provisioning and configuring systems, especially at scale way 5 | ©2019 F5
  • 6. Security Should Be No Different • DevOps adoption is increasing, but Security and Compliance typically remain afterthoughts. • Time is the essence in a continuous environment and manual process of security can means preventing business 6 | ©2019 F5
  • 7. Waterfall Approach • Waiting until the system is designed and built • Then trying to fit some security checks just before release 7 | ©2019 F5
  • 8. DevOps Approach OWASP Proactive Controls https://www.owasp.org/index.php/OWASP_Proactive_Controls 8 | ©2019 F5 “Shift Security Left” Security ToolChain must be : • Automated • Efficient • Repeatable • Easy to Use
  • 9. DevSecOps Principles Breaking Down the Silos Shifting Left Nurturing Security Champions Continuous Testing/ TestAutomation Making the Secure Path the Easy Path 9 | ©2019 F5
  • 10. Security in the Pipeline Stages DEVELOP DEPLOY OPERATION INHERIT& BUILD 10 | ©2019 F5
  • 11. DEVELOP DevSecOps Pipeline : Development • Threat Modeling • Development Standard • Static CodeAnalysis Static Code Analysis Threat Modeling • OWASP App Threat Modeling Cheat Sheet • OWASP App Sec Verification Standard • Mozilla Rapid Risk Assessment Development Standard • Secure coding practice • Git-secret • Git-hound Open Source option Commercial option CODE WARRIOR 11 | ©2019 F5 Language/Framework Tool Ruby Brakeman Java Web Apps Find Security Bugs PHP Phan Node NodeJsScan Golang/Go GoSec
  • 12. DevSecOps Pipeline : Inherit & Build INHERIT & BUILD • Software CompositionAnalysis (SCA) • Dependency Check • Unit Test Container Security Software CompositionAnalysis Open Source option Commercial option 12 | ©2019 F5
  • 13. DevSecOps Pipeline : Deploy DEPLOY • Performance & Load Testing • DynamicAnalysis Security Testing (DAST) & InteractiveApplication Security Testing (IAST) • Compliance Check • WAF Shielding Open Source tool for Compliance Check DAST & IAST Open Source DAST Option Commercial DAST Option Automation Integration Web Application Firewall 13 | ©2019 F5
  • 14. WAFUSERNAME Anti-Bot Mobile SDK Mobile Users Attackers Bots APIs OPERATION 14 | ©2019 F5 • WebApplication Firewall WAF Shielding • Security Orchestration DevSecOps Pipeline : Operation
  • 15. SHIFTING LEFT BUSINESS REQUIREMENTS CODING DESIGN TESTING PRODUCTION • Something got blocked – inconsistency between development and production • Delays in resolution awaiting SecOps response – no rollback IT Security (Traditional) Common Business Perception 15 | ©2019 F5 Security is preventing business, breaking the app
  • 16. • ProvidesAutomation • Visibility (Metric Based):Attack Events, Attack Logs • ProvidesAPI • Promotes Learning • AdvancedApplicationAttacks (Bot/Scraper, DoS) WAFUSERNAME Anti-Bot 16 | ©2019 F5 CONFIDENTIAL Mobile SDK Mobile Users Attackers Bots APIs Advanced Web Application Firewall Instrumentation
  • 17. F5 Advanced Web Application Firewall and Automation Inserting Automation of WAF in CI/CD Pipeline • Faster and easier to deploy WAF with frictionless security controls &Automation • Speed app WAF Policy deployment consistently and repeatability in declarative manner • Integration with CI/CD ToolChains (ChatOps, SCM,Automation & Orchestration Tools, ELK) 17 | ©2019 F5
  • 18. Breaking Down the Silos Shifting Left Nurturing Security Champions Continuous Testing/ TestAutomation Making the Secure Path the Easy Path Summary 18 | ©2019 F5
  • 19. SECURITY DEVELOPMENTOPERATIONS 19 | ©2019 F5 Increasing Collaboration and Feedback Between SecOps and DevOps Building Collaboration
  • 20.
  • 22. Alone We are smart, together We are brilliant THANK YOU ! Quote by Steve Anderson