Brief of benefits of DevSecOps DevSecOps = Security +DevOps DevSecOps = New culture + new skills + automation

1. Demonstrating
Benefits of DevSecOps
for Secure Code and Operations
Finto Thomas
Event : 8th Dec 2020 - GISEC 2020 - Dubai

2. Finto Thomas
Cybersecurity Architect and Strategist
• 15 Years in IT and Information Security domains across multiple industries
• Presently at Alef Education and Leading Information Security function
• Previously worked at IBM and Wipro, across multiple geo locations
• Key Certifications: CISSP, SABSA, TOGAF, CISM, SANS-GSTRT
Connect with me @FintoNT LinkedIn
Disclaimer : The views expressed in these slides are my own. They do not represent the position of my
current and past employers
@FintoNT 2#GISEC 2020

3. Topics Covered
• Embedding Security into DevOps
• Benefits and Constraints
• Key Takeaways
#GISEC 2020 @FintoNT 3

4. Before we get in to DevSecOps – Let us see how DevOps works
#GISEC 2020 @FintoNT 4
Developer Source Code
Repository
Build CI/CD Server
QA
Staging
Production
& Monitor
✗
Instant Feedback

5. DevOps + Security = DevSecOps
#GISEC 2020 @FintoNT 5
✓
Start End
Build
✓
Artifactory
Deploy
✓
Staging
Setup
✓
Staging Deploy
✓
Production
Deploy
✓
UAT
✓
Start End
Build
✓
Artifactory
Deploy
✓
Staging
Setup
✓
Staging Deploy
Production
Deploy
✓
UAT
✓
SCA
✓
SAST
✓
DAST
✓
Infrastructure
Vul Scan
✓
Production
Setup
✓
Production
Setup
✓
Compliance
Check
✓
Production
Approval
✓
Production
Approval
✓✗
Instant Feedback
SCA – 600 Alerts
SAST – 1000 Alerts (false positive included)
DAST – 5 Alerts
DevOps
DevSecOps

6. DevOps Pipeline
#GISEC 2020 @FintoNT 6
Plan Code Build Test Release Deploy Operate Monitor
Design Sprint
define Use Case
Prioritization
Stakeholders
Code
Development
Source Code
Management
Review &
Merging
Continues
Integration
Build Status
Packaging
Artifact
Repository
Pre deployment
Staging
Provisioning
Infrastructure
Orchestration
Configuration Management
Performance
Monitoring
Application
Monitoring
Alerting
Continues Test
Feedback
UAT

7. DevSecOps Phases mapped to type of security tools
#GISEC 2020 @FintoNT 7
Plan Code Build Test Release Deploy Operate Monitor
IDE Plugin
Pre Commit
hooks
Secrets
Management
SAST
SCA
Feedback on business Risk
DevSecOps - CI CD Pipeline
Threat Modeling
Security Use
Case
Prioritization
Regulations
Policies
Container
Security
System
Hardening
DAST
Compliance
Web Application
Firewall
Vulnerability
Management
PAM

8. Security function benefits from DevSecOps
#GISEC 2020 @FintoNT 8
Rapid Business value delivery Rapid user feedback Scalable and Auto SizingFast to Market, Market Edge
1. Shift Left – Security is baked-in in early stages
2. Products have inbuilt security controls – Robust , Secure products to market
3. Less vulnerable product – Build test will fail automatically while developer “commit” (save) the code
4. Security is everyone's responsibility – Better collaboration among the whole app development chain
5. High Returns on security Investment – Early detection and remediation save effort and time

9. Developers benefits from DevSecOps
#GISEC 2020 @FintoNT 9
Rapid Business value delivery Rapid user feedback Scalable and Auto SizingFast to Market, Market Edge
1. Instant feedback - Developers getting faster feed back on security tests and use cases (~5 mints)
2. No more surprises from Security reports – Security is a part of pipeline and transparent to all
3. Better Security awareness and collaboration – One Team + One agenda + One delivery

10. Operational benefits from DevSecOps
#GISEC 2020 @FintoNT 10
Rapid Business value delivery Rapid user feedback Scalable and Auto SizingFast to Market, Market Edge
1. Early detection and prevention systems – Security threats and Incidents can be identified early stages of pipeline
2. Easy to fix production issues– Isolate it with out production impact
3. Expectations are more clear and simple – Compliance , Hardening etc are established in early stages as “user
stories”
4. Automation reduces Ops team effort from security maintenance – repeatable remediation steps can be automated

11. Key constraints
#GISEC 2020 @FintoNT 11
1. Asset/Service Inventory, tracking and billing – Orphan and testing containers and systems
2. Identity and Access Management - Hardcoded and decentralized credentials
3. High Cost of Enterprise Tools & limitations – Language specific , Cloud licensing need attention
4. Skill shortage on DevSecOps – Market adoption still in early stages
5. Adoption of new mindset and tools – Definition of perimeter changes and it is no more traditional

12. DevSecOps =
#GISEC 2020 @FintoNT 12
New Culture + New Skills + Automation
People
ProcessTools
Scalable
Culture
Innovation
Skills
Speed
Automation
Success
DevSecOps

13. Methodologies and Culture
#GISEC 2020 @FintoNT 13
1. Embrace Developers with right tools and advises, find Security tools that Developers will actually use
2. Security needs to adopt Agile – Sprint models and process that’s fit for new environments. Automation is key.
3. Identify and eliminate the Risk early as possible in the workflow with relevant prioritizations and trade-offs

14. Peoples and Skills
#GISEC 2020 @FintoNT 14
Zero Trust
3. Collaborate on Problem solving, avoid blame game
1. Build Personal Trust and break silos
2. Encourage Security mindsets and Security champions with relevant trainings and incentive programs

15. Tools and Technologies
#GISEC 2020 @FintoNT 15
3. Traditional Security tools often do not work with new environment
2. Traditional Security solutions are logically valuable, but need to adopt with new environment
1. Adopt new programable tools, which Developers really use, Security team role is advisory and enablers

16. Maturity Assessment
#GISEC 2020 @FintoNT 16
https://www.slideshare.net/derweeksglobal/abn-amro-devsecops-journey
1. OWASP 2. ABN AMRO Model (level 5)
https://owasp.org/www-project-devsecops-maturity-model/

17. Key Takeaways
Technology and Tools Process and Methodologies People and Skills
#GISEC 2020 @FintoNT 17
DevSecOps = New Culture + New Skills + Automation
Bake in Security into DevOps flow,
do not try to bolt security later
Security control must be
programable and automated
wherever possible
Keep an eye on simpler and better
programable options
Use tools and methods that
developer team actually use
Adopt Agile and lean methods
Involve security as early as possible
in the workflow and best to do at
design & planning phase
Fix by priorities, do not attempt to
fix it all
DevSecOps feedback process must
be smooth and governed
Metric and KPI needs to relevant
and easy to generate
Build personal relations and trust
Break silos; do not isolate
Identify and nurture “security
champions” in each team
Focus on problem and solution; Do
not blame the person or team
Conduct short and repeatable
training sessions and training
videos

18. External Documents referred
• https://www.blackhat.com/docs/us-17/thursday/us-17-Lackey-Practical%20Tips-for-Defending-Web-Applications-in-the-Age-
of-DevOps.pdf
• https://dzone.com/articles/effective-devsecops
• https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Shrivastava-DevSecOps.pdf
• https://www.sonatype.com/hubfs/2018%20State%20of%20the%20Software%20Supply%20Chain%20Report.pdf
• https://www.veracode.com/state-of-software-security-report#snap__subnav_51096
• https://docs.aws.amazon.com/whitepapers/latest/introduction-devops-aws/two-pizza-teams.html
• https://www.infoq.com/presentations/devsecops-2019/
• https://owasp.org/www-project-devsecops-maturity-model/
#GISEC 2020 @FintoNT 18

19. #GISEC 2020 @FintoNT 19