This document discusses implementing DevSecOps at scale. It begins with an introduction and agenda. It then discusses the motivations for DevSecOps, including moving security left and making it a shared responsibility. Next, it describes the current state as lacking security requirements, testing, and tools. The target state involves integrating security earlier using tools like SonarQube and ZAP. It outlines DevSecOps practices like threat modeling, security testing in pipelines, and monitoring. Challenges include aligning teams, reducing wait times, and configuring tools across projects. Lessons learned center around process engineering, knowledge sharing, and establishing security operations.
2. About me
• Security Architect at Maersk
• MS in Software Engg from CMU
• Over 15 years of Software Development experience playing
roles as Developer, Team Lead, Product Architect and
Security Architect
• Proud mother of two boys
• Love learning and Open source.
• Generally suspicious of everything
• @Priyankarags on twitter
5. State of System
• Not many teams define Security Requirements in
backlog
• Security not built into Design
• Security moved to the end (Pen testing/working
off checklist)
• Pockets of excellence with teams using their own
tools for secure development
• Perceived lack of community support groups to
help with secure development. Teams perceive
security as “hard to do”.
• 16 agile teams, 71 pipelines, different
technology stacks, microservices architecture,
4 months to code freeze and 1 security
Architect
• No existing tools used for security testing
Target State
Priyanka Raghavan
5
• Security Requirements in placed in Azure DevOps
• “Secure by Design” is not a mantra but followed
by doing threat modeling as group exercise
• Security moved to the left/ starts earlier.
• Build security into Devops
• Use tools that are easy to adopt and scale
• Shared responsibility
• Security not a burden and easy to adopt. Build culture
around security
• Logs are sent to SOC for monitoring
6. DevSecOps in practice- Where did I
start?
• OWASP resources to start
• OWASP top 10
• OWASP cheat sheet
• OWASP security headers education https://owasp.org/www-
project-secure-headers/
• ZAP, Sonar with Security profile
• Open source tooling(Vandana’s talk
https://www.youtube.com/watch?v=cD3-1rb_HNM)
• https://www.redhat.com/en/topics/devops/what-is-devsecops
7. DevSecOps in practice- Where did I
start?
• Created a wiki and started
exercise of educating teams
• Joined a security champions forum
• Prototype of running open source
security tooling in Jenkins, argo
and Azure DevOps
8. DevSecOps in
practice
Collect Security Requirements (Tags in ADO)
Threat Modeling (Owasp Threat Dragon, Microsoft threat modeling, whiteboard)
SAST (Static Application Security Testing- SonarQube with Security Profile)
DAST (Dynamic Application Security Testing- ZAP)
Third party open source monitoring/ Container scanning( whitesource/twistlock
and Azure standard security monitoring)
Mandatory http security header checking(HSTS, Content security policy, XSS,
Xframe option, Xcontent no-sniff)
SSL site certificate checker (Qualys SSL labs)
Logging and monitoring (Send ASC logs to SOC, Datadog)
Penetration testing (Manual testing)
Priyanka Raghavan 8
9. DevSecOps in Practice
• Get integrated with teams
and participate in
Architectural discussions
• Security during design
whiteboarding
• 7 out of 10 steps can be
automated in pipeline
• Build DevSecOps template
and store it in repos
Priyanka Raghavan 9
10. DevSecOps in Practice
• Knowledge share with security
warriors
• Create confluence wiki to
share information
• Compliance through
dashboards
• Tips and Tricks to solve
vulnerabilities.
• Create Squads to help teams
learn from each other
• Keep pushing security agenda
with upper management
• Training for Developers and
Agile teams
Priyanka Raghavan 10
13. Priyanka Raghavan 13
• Track Security requirements and work
items in Azure DevOps
DevSecOps in Practice
14. Challenges so far..
Getting a seat at
the table on
Design
discussions
Getting time for
”Security debt”
in the backlog
Aligning teams
to discuss
technology
stacks and
versions (Third
party
vulnerabilities)
Using same version
of .Net, Java, Reactjs
Finding
volunteers to fix
bugs and share
knowledge with
teams
Follow same
pattern for
Authentication
and
Authorization
across APIs
(How to
generate JWT
tokens for easy
testing)
Reducing build
wait times on
agents.
(Scheduling
chron jobs)
Monitoring
alerts from
Cloud providers
Configuring
DAST(ZAP)
across projects
for different
needs, different
authentication
methods
15. Lessons Learnt
15
Process
Engineering Enablement
Security Operations
Non-functional squad to drive
agenda
Exchange of knowledge and
resources to scale and adopt
process.
Security Debt is seen as
important item
Security Templates to enable
CI/CD.
Build examples of how to use
popular tools and benefits
Facilitate discussions between
architects and teams.
Make friends with
Developers
Dashboards to monitor
progress
Monitor alerts on
non-prod and prod.
Audit logging for
forensics
Good communication
between SOC and
teams