1.
Abhimanyu Bhogwan
InfoSec Consultant with 10 yrs
of experience in multiple
security domains
Hobbies: yoga , driving , music

2.
Introduction to DevSecOps

3.
What is DevOps?
• DevOps (development and operations) is an
enterprise software development phrase used
to mean a type of agile relationship between
development and IT operations.
• The goal of DevOps is to change and improve
the relationship by advocating better
communication and collaboration between
these two business units

4.
Evolution of DevOps

5.
What is DevSecOps?
• DevSecOps refers to ‘DevOps with integrated
security.’
• DevSecOps promotes ‘security is a shared
responsibility’ culture wherein security is not a
responsibility for only one specific team, but
everyone in the team is accountable for
security.
• DevSecOps aims to integrate security controls in
the early stage of software development, rather
than implementing at the end.

6.
Integrating Security in DevOps

7.
Why do we
need
DevSecOps
• DevOps’ focus on speed often leaves
security teams flat-footed and reactive
• Cultural resistance to security
• DevOps and cloud environments
• Containers and other tools carry their
own risks
• Unmanaged secrets and poor privileged
access controls open dangerous
backdoors
• to help expedite workflows, DevOps
teams may allow almost unrestricted
access to privileged accounts (root,
admin, etc.)

8.
Uber Delivers a
Cautionary Lesson for
the DevOps Culture
• It’s arguable what was more egregious about Uber’s
breach of information of 57 million customers as well
as roughly 600,000 drivers; the fact that Uber paid
hackers hush money to conceal the hack from the
public for months, or the reckless disregard for proper
security that led to the hack.
• In this instance, an Uber employee published
credentials on GitHub, a popular cloud-based, open-
source code repository used by developers. A hacker
simply captured the Uber credentials off GitHub, then
leveraged them for privileged access on Uber’s Amazon
AWS Instances. As inexcusable (or at least as
inadvisable) as this practice sounds, developers
commonly embed authentication credentials and other
DevOps secrets haphazardly into code for easy access.

9.
Here are six important components of a
DevSecOps approach:
• Code analysis – deliver code in small chunks so vulnerabilities can be identified quickly.
• Change management – increase speed and efficiency by allowing anyone to submit
changes, then determine whether the change is good or bad.
• Compliance monitoring – be ready for an audit at any time (which means being in a
constant state of compliance, including gathering evidence of GDPR compliance, PCI
compliance, etc.).
• Threat investigation – identify potential emerging threats with each code update and be
able to respond quickly.
• Vulnerability assessment – identify new vulnerabilities with code analysis, then analyze
how quickly they are being responded to and patched.
• Security training – train software and IT engineers with guidelines for set routines.

10.
DevOps Security Best Practices
Embrace a DevSecOps model:Embrace
Enforce policy & governanceEnforce
Automate your DevOps security processes and toolsAutomate
Perform comprehensive discoveryPerform
Conduct vulnerability managementConduct
Adopt configuration managementAdopt
Secure access with DevOps secrets managementSecure
Control, monitor, and audit access with privileged access management
Control, monitor, and
audit
Segment networksSegment

11.
Integrate Security in CI/CD pipeline

12.
Different aspects of DevSecOps security in the
software lifecycle including tools
• Static Code Analysis – Scans for vulnerabilities in the code after coding but before unit testing
during development (e.g. SonarQube)
• Configuration Management and Compliance – Know how your application is configured and
whether it follows your policies (e.g., Ansible, Chef, Puppet)
• Dynamic Code Analysis – Scan your code for vulnerabilities in how it performs. Execute unit tests
to find errors (e.g., SonarLint, VeraCode)
• Vulnerability Scanning – Automatically identify known issues in your application for penetration
testing (e.g., Nessus)
• Infrastructure as Code – Ensures the application is deployed securely and without errors in a
repeatable manner (e.g., Ansible)
• Continuous Monitoring – Information on how the application is running, collected and
monitored to identify issues and feed future improvements. This is done in production
environment. (e.g. Splunk, AppDynamics)
• Container Security – monitor and protect containers (e.g., BlackDuck)

13.
DevSecOps has three Pillars of Strength
People
• Trust
• Collaboration
• Transparency
• Communicati
on
• Incentive and
responsibility
alignment
• Governance
Tools
• Build
• Test
• Deploy
• Monitor
• Security
• Logging
Process
• Continuous
Integration
• Continuous
Testing
• Continuous
Delivery
• Continuous
Monitoring
• Configuration
Management

14.
Security Champions in DevSecOps
• Who are Security Champions?
• Security Champions are "active members of a team
that may help to make decisions about when to
engage the Security Team". They act as a core
element of security assurance process within the
product or service, and hold the role of the Single
Point of Contact (SPOC) within the team.
• What benefits do Champions bring to my company?
• Scaling security through multiple teams
• Engaging "non-security" folks
• Establishing the security culture

15.
Threat Modeling
DevSecOps threat modeling is an
organizational culture that ensures
security is a consideration from the
beginning stages of development.
Organizations can use DevSecOps to
build more secure applications without
causing a lot of friction in their build
and deploy process

16.
SAST & DAST
Static application security testing (SAST)
SAST is also known as “white-box testing”, meaning it tests the internal structures or workings of an
application, as opposed to its functionality. It operates at the same level as the source code in order to
detect vulnerabilities. Since the SAST analysis is conducted before code compilation, and without
executing it, this tool can be applied early on in the software development lifecycle (SDLC). Most SAST
tools support the major web languages: PHP, Java, and .Net, and some form of C, C++, or C#.
Dynamic application security testing (DAST)
DAST is a “black box testing” method, meaning it is performed from the outside in. The principle revolves
around introducing faults to test code paths on an application. For instance, it can use threat data feeds to
detect malicious activity. DAST doesn’t require source code or binaries since it analyzes by executing the
application.

17.
IAST and RASP
Interactive application security testing (IAST)
AST uses software instrumentation to assess how an application performs and detect vulnerabilities.
IAST has an “agent-like” approach, meaning agents and sensors are run to continually analyze the
application workings during automated testing, manual testing, or a mix of the two.
The process and feedback are done in real time in your integrated development environment (IDE),
continuous integration (CI) environment, or quality assurance, or while in production.
The sensors have access to:
the entire code;
data-flow and control-flow;
system configuration data;
web components; and
back-end connection data.
Runtime application self-protection (RASP)
RASP is capable of inspecting application behavior, as well as the surrounding context. It captures all
requests to ensure they are secure and then handles request validation inside the application. RASP
can raise an alarm in diagnostic mode and prevent an attack in protection mode, which is done by
either stopping the execution of a certain operation or terminating the session.

18.
Conclusion
• DevSecOps needs to be a proactive customer centric approach rather
than a reactive approach.
• DevSecOps benefits include cost reduction, speed of delivery, speed
of recovery, compliance at scale etc.
• DevSecOps helps us detect and fix issues earlier in the development
process thus reducing greatly the cost associated with identifying and
fixing them.