SlideShare une entreprise Scribd logo

How to Get Started with DevSecOps

CYBRIC
CYBRIC

"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io

Technologie
1  sur  27
SESSION TITLE GOES HERE Second Line Goes Here #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Speaker Name Speaker Title Company Name Speaker Name Speaker Title Company Name How to Get Started with DevSecOps #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Andrei Bezdedeanu VP of Engineering
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Waterfall vs. Agile Conception Initiation Analysis Design Development Testing Deployment Development Testing DeploymentRefining Planning Conception
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan Agile Manifesto
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. Development Operations QA DevOps
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Challengers and Enablers to DevOps Challengers • Organizational structure • Lack of understanding • Goals misalignment • Personal egos • Technical incompetency • Corporate politics Enablers • Executive support • Leading by example • Champions • Automation, automation, automation • Technical competency • Early success
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Components of a Successful DevOps Strategy • Continuous Integration • Continuous Delivery • Microservices • Infrastructure as Code • Monitoring and Logging • Communication and Collaboration • Shared Accountability
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Benefits of DevOps • Collaboration – alignment between development and operations teams; handoff friction is reduced; common goals and objectives • Fluid responsiveness – real-time feedback and greater efficiency; changes and improvements can be implemented more quickly • Shorter cycle time – efficiency and communication between teams shortens cycle time; new code can be released more rapidly • Better quality – bugs are discovered and fixed more quickly, goal of every Agile sprint is to deliver working, quality software
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM DevOps vs SecOps • DevOps does not mean more secure applications! • Growing chasm between DevOps and SecOps • Security testing too late in the application delivery cycle • Testing done by SecOps team not familiar with the code base • Security not often part of initial design • No threat modeling • Fixing vulnerabilities in conflict with sprint goals • Increased frustration for both teams • Finger pointing
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM DevSecOps • A bridge between fast and secure software development • A cross-functional team composed of Development, Operations, Security and QA • United security and engineering culture • Security at the speed of DevOps, leveraging automation to fullest extent • Making Security an integral part of application design
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Keys to a Successful DevSecOps Transformation • Insert security into the DevOps culture • Break down the “walls” • Design with security in mind • Embed security throughout SDLC • Empower developers with appropriate security tools • Treat everything as code • Manage security posture after deployment • Include Development and Operations in incident response Development Operations QA Security
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Challengers and Enablers to DevSecOps Challengers • Organizational structure • Developers lack knowledge of security tools & practices • Security engineers lack understanding of development Enablers • Executive support • CI/CD • Infrastructure as code • Education
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM “Shift Left” • Empower development team with tools, process and best practices • Security checks in the IDE • Scan code on commit • Scan output of build process • Scan container images built • Scan applications deployed to non-production environments • Scan applications in production • Scan infrastructure and network • Check cloud and network configurations
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Automation and Orchestration • A proper DevSecOps strategy has little room for manual testing and scanning • Functional testing and Penetration testing can still happen, but… • Automate all scans that can be automated • Orchestrate the process by integrating into code repositories, build and deployment pipelines
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM What Scanning Tools Do We Use? Static App Security Testing (SAST) Analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. Software Composition Analysis (SCA) Identify risks from open source libraries and commonly used frameworks, covering both known security vulnerabilities and license risk. Dynamic App Security Testing (DAST) Detect conditions indicative of a security vulnerability in an application in its running state (outside-in) Interactive App Security Testing (IAST) Analyze application behavior in the testing phase by instrumenting the runtime engine to get insight into the application’s logic flow, data flow and configuration. Monitor test attacks initiated by a DAST attack inducer, and then report on the attacks that resulted (or might result) in an application’s exploit.
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM From Code Commit to Deployment [Code Repository] CodeScan(SAST/SCA) Build BinaryScan(SAST/SCA) Stage Deploy Production Deploy App.Scan(DAST) App.Scan(DAST) Network/HostScan Network/HostScan Code Commit Security Tools (SAST, SCA, IAST & DAST) [Build Process] [Staging] [Production]
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Containerization & Cloud Transformation • Integrating security into continuous delivery can be challenging • Developers and IT ops are rarely trained in security • Security teams don’t necessarily know how to code or administer servers • For DevSecOps to work, everyone involved in continuous delivery needs to speak the same language and work with the same environment • Infrastructure as code provides a common framework • Containers are the key to achieving automated, predictable security operations • Container security is a fast maturing space (NIST 800-190)
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Data Aggregation & Single Pane of Glass Security scanning tools provide rich set of vulnerability data • Normalize data into a single format • Consolidate into single issues of the same type • Deduplicate across tools with overlapping coverage • Allow users to override based on what they know • Correlate Static and Dynamic issues • Prioritize exploitable vulnerabilities • Minimize exposure and risk • Remediate quickly
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM How fast, How bad, How expensive? The three questions most asked: 1. How fast can we find out if/when we have a problem? 2. How bad is it (what is the risk)? 3. What is it going to take to fix it?
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Detection & Remediation Metrics Internal Rate of Detection (IRD) • The time it takes to find vulnerabilities • Usually measured as the time between last scan and the first scan that identified a new issue • Measures the risk of having a vulnerability and not knowing about it • More frequent scanning = lower IRD Internal Rate of Remediation (IRR) • The time it takes to fix vulnerabilities • Usually measured as time between detection and remediation • Measures effectiveness of fixing vulnerabilities once found • Addressing issues immediately = lower IRR
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Defect Metrics Severity • Degree of impact a vulnerability has on the development or operation of a component or application being tested • The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of security vulnerabilities • CVSS indicates ease and impact of exploit Confidence Level • Level of confidence in the existence of the vulnerability and also the credibility of the technical details of the vulnerability Defect Density • Number of defects (vulnerabilities, bugs) per thousands of lines of code
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Cost of Remediation Multi-variable calculation without a common standard/definition Variables that can influence cost of remediation: • IRD & IRR • Severity • Confidence Level • Correlation & Exploitability
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Application & Enterprise Risk Various risk estimation frameworks available… OWASP Risk Rating Methodology Risk = Likelihood * Impact Likelihood Factors • Threat Agent Factors (skill, motive, opportunity, size) • Vulnerability Factors (ease of discovery, ease of exploit, awareness, intrusion detection) Impact Factors • Business (financial damage, reputational damage, non-compliance, privacy violation) • Technical (loss of confidentiality, integrity, availability, accountability)
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Incident Response & Management DevSecOps is a good idea… Early vulnerability detection and proper hygiene are good ideas… But breaches will happen!!! Efficient Incident Response is key when that occurs…
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Agile and DevSecOps to the rescue • DevSecOps provides a shared accountability culture • Use information collected prior to the breach in development, testing and production • Use available correlations to efficiently find problems in code and fix them • Use existing automation framework to provide attestation of any fix • Plan remediations and patching immediately or plan as part of next sprint
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM The journey starts where you are today There are no prerequisites for DevSecOps • You can start with code security (start left) • You can start with dynamic application scanning (start right) • You can start ensuring that open source component risks are minimal • You can start by just scanning container images for known vulnerabilities, or… • You can put in place an end-to-end comprehensive strategy Either way, DevSecOps can enable and accelerate the journey
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM No Excuses!!! We are not ready We don’t have any scanning tools We don’t have resources We don’t have time Security is important, but not a priority We don’t have any vulnerabilities We are not mature enough We don’t have CI/CD We are not DevOps
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Email: andrei@cybric.io LinkedIn: @andreibezdedeanu Twitter: @abezdedeanu

Recommandé

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 

Recommandé

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 

Contenu connexe

Tendances

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 

Tendances (20)

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 

Similaire à How to Get Started with DevSecOps

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital LandscapeDevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital Landscapestevecooper930744
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfMobibizIndia1
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Perforce
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside OutUlisses Albuquerque
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 

Similaire à How to Get Started with DevSecOps (20)

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital LandscapeDevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital Landscape
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside Out
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 

Dernier

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Dernier (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

How to Get Started with DevSecOps

  • 1. SESSION TITLE GOES HERE Second Line Goes Here #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Speaker Name Speaker Title Company Name Speaker Name Speaker Title Company Name How to Get Started with DevSecOps #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Andrei Bezdedeanu VP of Engineering
  • 2. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Waterfall vs. Agile Conception Initiation Analysis Design Development Testing Deployment Development Testing DeploymentRefining Planning Conception
  • 3. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan Agile Manifesto
  • 4. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. Development Operations QA DevOps
  • 5. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Challengers and Enablers to DevOps Challengers • Organizational structure • Lack of understanding • Goals misalignment • Personal egos • Technical incompetency • Corporate politics Enablers • Executive support • Leading by example • Champions • Automation, automation, automation • Technical competency • Early success
  • 6. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Components of a Successful DevOps Strategy • Continuous Integration • Continuous Delivery • Microservices • Infrastructure as Code • Monitoring and Logging • Communication and Collaboration • Shared Accountability
  • 7. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Benefits of DevOps • Collaboration – alignment between development and operations teams; handoff friction is reduced; common goals and objectives • Fluid responsiveness – real-time feedback and greater efficiency; changes and improvements can be implemented more quickly • Shorter cycle time – efficiency and communication between teams shortens cycle time; new code can be released more rapidly • Better quality – bugs are discovered and fixed more quickly, goal of every Agile sprint is to deliver working, quality software
  • 8. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM DevOps vs SecOps • DevOps does not mean more secure applications! • Growing chasm between DevOps and SecOps • Security testing too late in the application delivery cycle • Testing done by SecOps team not familiar with the code base • Security not often part of initial design • No threat modeling • Fixing vulnerabilities in conflict with sprint goals • Increased frustration for both teams • Finger pointing
  • 9. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM DevSecOps • A bridge between fast and secure software development • A cross-functional team composed of Development, Operations, Security and QA • United security and engineering culture • Security at the speed of DevOps, leveraging automation to fullest extent • Making Security an integral part of application design
  • 10. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Keys to a Successful DevSecOps Transformation • Insert security into the DevOps culture • Break down the “walls” • Design with security in mind • Embed security throughout SDLC • Empower developers with appropriate security tools • Treat everything as code • Manage security posture after deployment • Include Development and Operations in incident response Development Operations QA Security
  • 11. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Challengers and Enablers to DevSecOps Challengers • Organizational structure • Developers lack knowledge of security tools & practices • Security engineers lack understanding of development Enablers • Executive support • CI/CD • Infrastructure as code • Education
  • 12. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM “Shift Left” • Empower development team with tools, process and best practices • Security checks in the IDE • Scan code on commit • Scan output of build process • Scan container images built • Scan applications deployed to non-production environments • Scan applications in production • Scan infrastructure and network • Check cloud and network configurations
  • 13. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Automation and Orchestration • A proper DevSecOps strategy has little room for manual testing and scanning • Functional testing and Penetration testing can still happen, but… • Automate all scans that can be automated • Orchestrate the process by integrating into code repositories, build and deployment pipelines
  • 14. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM What Scanning Tools Do We Use? Static App Security Testing (SAST) Analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. Software Composition Analysis (SCA) Identify risks from open source libraries and commonly used frameworks, covering both known security vulnerabilities and license risk. Dynamic App Security Testing (DAST) Detect conditions indicative of a security vulnerability in an application in its running state (outside-in) Interactive App Security Testing (IAST) Analyze application behavior in the testing phase by instrumenting the runtime engine to get insight into the application’s logic flow, data flow and configuration. Monitor test attacks initiated by a DAST attack inducer, and then report on the attacks that resulted (or might result) in an application’s exploit.
  • 15. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM From Code Commit to Deployment [Code Repository] CodeScan(SAST/SCA) Build BinaryScan(SAST/SCA) Stage Deploy Production Deploy App.Scan(DAST) App.Scan(DAST) Network/HostScan Network/HostScan Code Commit Security Tools (SAST, SCA, IAST & DAST) [Build Process] [Staging] [Production]
  • 16. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Containerization & Cloud Transformation • Integrating security into continuous delivery can be challenging • Developers and IT ops are rarely trained in security • Security teams don’t necessarily know how to code or administer servers • For DevSecOps to work, everyone involved in continuous delivery needs to speak the same language and work with the same environment • Infrastructure as code provides a common framework • Containers are the key to achieving automated, predictable security operations • Container security is a fast maturing space (NIST 800-190)
  • 17. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Data Aggregation & Single Pane of Glass Security scanning tools provide rich set of vulnerability data • Normalize data into a single format • Consolidate into single issues of the same type • Deduplicate across tools with overlapping coverage • Allow users to override based on what they know • Correlate Static and Dynamic issues • Prioritize exploitable vulnerabilities • Minimize exposure and risk • Remediate quickly
  • 18. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM How fast, How bad, How expensive? The three questions most asked: 1. How fast can we find out if/when we have a problem? 2. How bad is it (what is the risk)? 3. What is it going to take to fix it?
  • 19. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Detection & Remediation Metrics Internal Rate of Detection (IRD) • The time it takes to find vulnerabilities • Usually measured as the time between last scan and the first scan that identified a new issue • Measures the risk of having a vulnerability and not knowing about it • More frequent scanning = lower IRD Internal Rate of Remediation (IRR) • The time it takes to fix vulnerabilities • Usually measured as time between detection and remediation • Measures effectiveness of fixing vulnerabilities once found • Addressing issues immediately = lower IRR
  • 20. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Defect Metrics Severity • Degree of impact a vulnerability has on the development or operation of a component or application being tested • The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of security vulnerabilities • CVSS indicates ease and impact of exploit Confidence Level • Level of confidence in the existence of the vulnerability and also the credibility of the technical details of the vulnerability Defect Density • Number of defects (vulnerabilities, bugs) per thousands of lines of code
  • 21. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Cost of Remediation Multi-variable calculation without a common standard/definition Variables that can influence cost of remediation: • IRD & IRR • Severity • Confidence Level • Correlation & Exploitability
  • 22. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Application & Enterprise Risk Various risk estimation frameworks available… OWASP Risk Rating Methodology Risk = Likelihood * Impact Likelihood Factors • Threat Agent Factors (skill, motive, opportunity, size) • Vulnerability Factors (ease of discovery, ease of exploit, awareness, intrusion detection) Impact Factors • Business (financial damage, reputational damage, non-compliance, privacy violation) • Technical (loss of confidentiality, integrity, availability, accountability)
  • 23. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Incident Response & Management DevSecOps is a good idea… Early vulnerability detection and proper hygiene are good ideas… But breaches will happen!!! Efficient Incident Response is key when that occurs…
  • 24. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Agile and DevSecOps to the rescue • DevSecOps provides a shared accountability culture • Use information collected prior to the breach in development, testing and production • Use available correlations to efficiently find problems in code and fix them • Use existing automation framework to provide attestation of any fix • Plan remediations and patching immediately or plan as part of next sprint
  • 25. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM The journey starts where you are today There are no prerequisites for DevSecOps • You can start with code security (start left) • You can start with dynamic application scanning (start right) • You can start ensuring that open source component risks are minimal • You can start by just scanning container images for known vulnerabilities, or… • You can put in place an end-to-end comprehensive strategy Either way, DevSecOps can enable and accelerate the journey
  • 26. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM No Excuses!!! We are not ready We don’t have any scanning tools We don’t have resources We don’t have time Security is important, but not a priority We don’t have any vulnerabilities We are not mature enough We don’t have CI/CD We are not DevOps
  • 27. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Email: andrei@cybric.io LinkedIn: @andreibezdedeanu Twitter: @abezdedeanu

Notes de l'éditeur

  1. d