2. ABOUT ME
•Regional Director Hysn Technologies and Practical DevSecOps
•DevSecOps Indonesia Community Leader
•Speaker, Trainer & Independent Consultant.
•Speaker at DevSecCon Singapore
•9 years experience Governance, Risk and Compliance Area
•Passionate on building community
•Love travelling and networking
•Contact me
•Linkedin : bajrei.nadira@gmail.com
•Telegram : nadirabajrei
•Twitter :@nadirabajrei1
Nadira Bajrei
3. Purpose
Rule
Value
Community for open discussion on application security
No rules but please avoid spamming
Share, Learn and Respect each other opinion
ABOUT DEVSECOPS INDONESIA
Since 02 November 2018 | 1068 Members
Join us on Telegram : DevSecOpsIndonesia
4. DevSecOps Meetup History
1 2 3 4 5
August 2019
Host : Bank Mandiri
Participant : 103 person
Speaker :
1. Suman Sourav (VP
Security Lazada
2. Amien Harisen (CEO
Tjakrabirawa)
September 2019
Host : PT. Megaxus
Participant : 45 person
Speaker :
1. Rusdi Rachim (CISO
Indosat)
2. Vandy (VP Security
Bukalapak
October 2019
Host : BukaLapak
Participant : 34 person
Speaker :
1. Mohammed A.
Imran (CTO Practical
DevSecOps
2. Vandy (VP Security
Bukalapak
November 2019
Host : tiket.com
Participant : 80 person
Speaker :
1. Erick (Cyber Security
Consultant KPMG)
2. Ari apridana (IT
Security tiket.com)
December 2019
Host : Indosat
Participant : - person
Speaker :
1. Joko Moro (GRC
Blibli)
2. Nadira (Reg, Dir
Hysn Tech)
5. 2020 Meetup Plan
6 7 8 9 10
January 2020
Host : blibli.com
Participant : -
Speaker : -
11
February 2020
Host : Delloite Consulting
Participant : -
Speaker : -
March 2020
Host : F5
Participant : -
Speaker : -
April 2020
Host : -
Participant : -
Speaker : -
May 2020
Host : -
Participant : -
Speaker : -
Juni 2020
Host : -
Participant : -
Speaker : -
What DevSecOps Indonesia Need?
•Call for Host
•Call for Speaker
•Call for Volunteer
Please reach me out to my email: bajrei.nadira@gmail.com or telegram: @nadirabajrei
14. What is DevSecOps?
•In simple words its about bringing security practices into
DevOps
•Security is everybody responsibility (Dev, Ops, Sec)
•What is DevOps then?
•A Cultural and professional movement that stresses
communication, collaboration and integration between
software developers and IT Operations and other
professionals while automating the process of software
delivery and infrastructure changes.
15. to build on the mindset that ‘everyone is responsible for security’
with the goal of safely distributing security decisions at speed and scale to
those who hold the highest level of context without sacrificing the safety
required.
16. DevOps will complement Agile to break the “silos” and achieve better Business-IT
Alignment, increased delivery certainty and faster speed to market and deliver more
secure application.
W
a
l
L
W
a
l
L
W
a
l
L
Customers Development IT Operations IT Security
Wanting
Flexibility
Wanting
Change
Wanting
Stability
Wanting
Security
Create Flexibility
Improve time to market
Create Stability
Enhance Services
Create Security
Enhance security service
Security as a code
Create effective
change
Add/modify features
DevsecopsDevOpsAgile Dev
17. OperateBuild Integrate Test Deploy Release
Agile Development
Continuous Integration
Continuous Delivery
Continuous Deployment
DevOps/DevSecOps
Business
decision to go
live
Security as a code
Shift left security testing
22. C A
L
M
S
Culture
Culture change is never
easy, but without culture
change all practices fail
Automation
Automation alone
cannot give you
DevOps - but cannot
succeed without it and
avoid tools that enforce
Lean
Creates more value for
customer with fewer
resources and less waste
Sharing
Sharing to enhance
collaboration and tight
integration between
business, developer,
operation and also
security
Measure
If you can’t measure it,
you can’t improve it
DevOps
Core
Values
23. Characteristic of DevOps Culture
• Shared vision, goals and
incentives
• Open, honest, two way
communication
• Collaboration
• Respect
• Trust
• Transparency
• Continues improvement
• Data driven
• Safe
• Reflection
• Recognition
C A
L
M
S
DevOps Values - Culture
*To achieve it we should Shifting
Thought, Behaviour, Built Culture
of Safe Failure and also culture of
Continues Improvement
24. Culture Change is never easy
1. You can’t change people, they
can only change themselves
2. Change almost takes longer and
costs more than expected
3. Stakeholder involvement is
critical
4. People who participate in what
and how to change decisions
are far more likely to accept
change
C A
L
M
S
DevOps Values - Culture
25. The Stages of Change Acceptance
C A
L
M
S
DevOps Values - Culture
Q: What is critical?
A: Communication
1. A DevOps culture requires timely
and effective communication
2. Shared a tools facilitate timely
and meaningful communication
• Chat platform
• Task managers
• Social tools
• Alert management tools
• Knowledge sharing platform
26. C A
L
M
S
DevOps Values - Automation
1. Architect before automating
2. Assess our existing tools and automation
capabilities
3. Identify critical gaps
4. Seek vendor for POC
5. Automate high value and repetitive work
6. Optimise workflow bottleneck
*Do not underestimate the effort and cost building toolchain from open source applications,
open source is not necessarily free, you need to modify the source fit to your needs*
Adopting automation we avoid tools that enforce silos
HOW?
27. Plan Operate
ObjectiveTools
DeployTestBuildDevelop
Agile - CI
DevSecOps
Backlog
grooming,
define user story,
burnt down
charts,
security
Requirement
Develop apps
and services
using version
control,
traceability, and
CI
Manage, track
and document
all changes to
application and
configuration
management
Automate test
script execution
including
regression, user
acceptance and
security
Deploy apps and
provision
environments using
automation &
standardised
configurations
Measure
performance of
environment and
application
28.
29. Security within software lifecycle
OperatePlan Develop Test Deploy
Security Req. Source Code Review VA/Pentest SIEM
Security Hardening
Antivirus
Patch Management
Security Awareness
Security guy as SME
30. C A
L
M
S
DevOps Values - Lean
Muda - Waste
Simple statement to identify waste
“If you are not adding value , then you are adding
waste”
How we eliminating waste?
✓ Start finishing stop starting or limit WIP (work in
progress)
✓ Avoid hand-overs.
Mura - Reduce inconsistency
✓ Make everything as simple as possible
Muri – Overburden
Its represents the activities where processes, people, or
machines are pushed beyond a reasonable limit.
✓ Remove bottlenecks
31.
32. DevOps Values - Measure
Speed Quality Stability Culture
Change Lead and
Cycle Times
Deployment frequency
Deployment Speed
Change failure rate
Deployment success
rate
Incidents and Defects
Mean time to detect
incident (MTTD)
Mean Time to Recover
(MTTR) - Component
Mean time to restore
service (MTRS) -
Service
Retention & loyalty
Engagement
Knowledge Sharing
Make it Visible, Enable Transparency
Use the same dashboard for Dev, Ops, Sec, even Business
34. High performing teams deploy more
frequently and have much faster
lead times
DevOps Increasing Agility & Stability
They makes changes with fewer
failures, and recover faster from failures
High performing team spend less
time fixing security issues
!
!
!
35. C A
L
M
S
Strategies for Building DevSecOps Culture
Develop a culture
✓ Embrace transparency & Openness
Establish strong feedback loop
✓ Facilitate team with collaboration platform
Create Security Champion
✓ Identify individuals that understand security within both the Dev and the
Ops groups.
Team Autonomy
✓ Successful DevSecOps leaders empower their teams and give them the
authority to determine many of their own processes and tools based on
their needs.
Put “Sec” In Silent
✓ Integrate “sec” aspect in the pipeline and please makes sure not stop the
build