Agile has made it possible to deliver a lot product lines and service lines almost like instant coffee , tea and instant everything. It has created a lot of diverse needs especially the need to keep pace with Dev and Operations and everything is expected to continuous along the pipeline without breaking anything along the way. This would mean features , security , builds , releases and the whole nine yards that go with putting your app or product out there. We shall look at DEVSECOPS along with why everything else associated with this initiative that needs to be continuous . Without this mindset agile shall be a term that shall not have much of relevance let alone deliver a product or feature in the best quality and time frame.

1. CONTINOUS EVERYTHING
IN THE AGE OF INSTANT
EVERYTHING
KIRAN DIVAKARAN
@ETURNTI

2. Misys
BFL
Consultant and Technology Evangelist
with companies to help them in their
business transformation and digital
transformation journeys
Training and mentoring Architects and
Technology leaders
Enterprise Architecture Expert with the
Digital India Initiative
Ex Vice Chair TOGAF® Standing
Committee
Governing Board Member CCICI
WHAT DO I DO ?

3. NEED FOR EVERYTHING COUNTINOUS AND BOUNDARY LESS

4. NOT ONLY IN PRODUCT PIPELINES BUT ALSO IN INDUSTRY VALUE CHAINS

5. ALL OF THIS NEEDS A CONTINUUM AND NOT BROKEN PIECES
-JACK WELSH

6. AGE OF BOUNDARYLESS INFORMATION FLOW

7. APIs EVERY WHERE
ENTERPRISE ARCHITECTURE AND BLURRING THE BOUNDARIES, API ECONOMY -DISCOVERING NEW BUSINESS MODELS AT INTERSECTIONS – MDI GURGAON

8. Courtesy : DZone
APIs WITHIN A VALUE CHAIN

9. GHOST RIDES SCAM

10. In 2017, the Equifax credit reporting agency
used Struts in an online portal, and due to
Equifax not identifying and patching a
vulnerable version of Struts, attackers were
able to capture personal consumer information
such as names, Social Security numbers, birth
dates and addresses of over 148 million US
consumers, nearly 700,000 UK residents, and
more than 19,000 Canadian customers.
EQUIFAX SCAM

11. VALUE CHAIN CUTTING ACROSS MANY DOMAINS TO ACHIEVE BIZ VALUE

12. SALESFORCE.COM GENERATES 50 PERCENT OF ITS
REVENUES VIA ITS API VIA ITS API.
TRAVEL SITE, EXPEDIA, A WHOPPING 90 PERCENT OF
ITS REVENUE IS CONDUCTED VIA ITS API.

13. EVERYTHING AROUND US HAS TO BE CONTINOUS

14. Continuous
Everything
Continuous
Production
Continuous
Integration
Continuous
Automation
Continuous
Governance
Continuous
Monitoring
Continuous
Testing
WHERE DOES THIS LEAVE US WITH SECURITY ?
Continuous
Security

15. https://www.linkedin.com/pulse/dynamics-devops-adoption-dr-pallab-saha/
CAUSAL LOOP FOR DEVOPS

16. DEVOPS IS A JOURNEY ITSELF
INTRODUCING SECURITY
ADDS TO THE
COMPLEXITY

17. CAN SECURITY PACE WITH THE RATE AT WHICH CODE IS PUSHED ?

18. ENTER
DEV SECOPS / SEC DEV / RUGGED DEV OPS
= SECURITY AUTOMATION AT SCALE

19. IMPACT OF SECURITY ON BUSINESS
Proliferation of Shadow IT
Business Agility impacted due to slow security cycles.
Security unable to keep pace with Business
Adhoc projects and rogue development
True DevOps requires maturity
Slow threat assessments
Not enough patching
Reactive security posture of the company
SECURITY OPERATIONS

20. WHAT ARE WE MISSING HERE ?
Courtesy :Henrik Kniberg

21. 1. We need to discover a solution that is valuable, usable, feasible and viable.
2. We need to deliver a solution that is reliable, scalable, performant and maintainable.
& Of Course SECURE
WHAT WE ARE NOT CAPTURING ARE THE UNDERLYING ISSUES

22. Value Risk - will they use/buy it?
Usability Risk - can they use it?
Feasibility Risk - can we build it?
Business Viability Risk - will this work for our business?
Security Risk – Is our solution vulnerable or hack proof ?
SOLVE OR BRAINSTORM ON THESE RISKS BEFORE YOU WRITE A LINE OF CODE

23. DISCOVERY AND DELIVERY
Courtesy : Marty Cagan SVPG
Build to learn
Build to run a business
DUAL TRACK AGILE - JEFF PATTON
More frequent
Iterations per week
1 or 2 Iterations per week
PRODUCT MANAGERS / DESIGNERS
ENGINEERS

24. Adapted from Courtesy : Marty Cagan SVPG
SECURITY
ADDING SECURITY TO THE ATTRIBUTE LIST

25. Courtesy : Marty Cagan SVPG

26. MOST OFTEN USED AT GOOGLE
Courtesy : Marty Cagan SVPG

27. Y-COMBINATOR TERMINOLOGY
AiRBnB USES IT
Courtesy : Marty Cagan SVPG

28. Courtesy : Marty Cagan SVPG
SPRINTS THAT WE NEED TO CONSIDER

29. By 2021, DevSecOps practices will be embedded
in 80 per cent of development teams, up from 15
per cent in 2017.
-Gartner

30. DEV SEC OPS - WHY
Pace of innovation meets – Pace of Security Automation
Scalable Architectures need Scalable Security
Vulnerabilities need to be healed at the rate at which software is getting churned.
Risk Identification and Remediation at the speed of delivery

31. Slow threat assessments
Can't patch fast enough
Reactive security posture
Lack of business agility
Slow to onboard new customers
Slow turn around time
Trailblazer dev projects gone wrong
Lack of SecOps agility
PROBLEMS AS THEY STAND

32. DEVELOPMENT
ARCHITECTURE
QA
OPERATIONS
TRADITIONAL S/W DEVELOPMENT – NOT CONTINOUS

33. WHAT WE NEED ?
MONITORING
&
SECURITY
TO BE ADDED TO
MAKE IT CONTINOUS
PLAN – CODE –BUILD-TEST-RELEASE-DEPLOY-OPERATE-MONITOR-PLAN

34. CLOUD ADDS TO THE COMPLEXITY
MOVING TO THE CLOUD
BABY STEPS
MORE THAN ONE
CLOUD
MULTI
CLOUD SCENARIO
SECURITY RESOURCES
& CHECKLISTS
COMPLIANCE AND
REGULATIONS
OPEX

35. DEVS
OPS
DESIGN
REVIEW
TEST
UNIT TEST
MOCK TESTS
PERFORMANCE
SECURITY
MEMORY MANAGEMENT
NRFS
SECURITY
RESPONSIVE NESS
RUN STUFF
BREAK THE BUILD
REPEAT
HOW DEVELOPERS SEE OPS FOLKS ?

36. WHAT DEVELOPERS WANT ?
Ease of checking in and checking out
Able to play and experiment with emerging technologies
Ability to push code regardless of the platform
ABOVE ALL A GOOD NIGHTS SLEEP

37. DEVS
DEV
ITIL COMPLIANCE
REDUCE CARBON
FOOTPRINT
TEST
GO GREEN
SUPPORT DIFF ENVS
TICKETING
SECURITY
VIRTUALIZE
CMRB
PCI DSS
KEEP THE LIGHTS ON
WRITE CODE
TEST SOME AND
RELEASE
HOW OPERATIONS FOLKS SEE DEVELOPERS
NETWORKS
OS
ACCESS CONTROL

38. WHAT MAKES SECURITY FOLKS RELAX
ALL VULNERABILITIES ARE DISCOVERED AND FIXED IN TIME
ALL COMPLIANCES AND REGULATIONS ARE MET
ALL ATTACKS HAVE A PLANNED STRATEGY AND NO SURPISES
ABLE TO KEEP IN PACE WITH THE SPEED OF DEVELOPMENT
AUTOMATED PROCESSES FOR STATIC AND DYNAMIC TEST ( SAST , DAST , IAST )

39. WHAT WE NEED IS TOOLS AND PROCESS ?
MONITORING
&
SECURITY
TO BE ADDED TO
MAKE IT CONTINOUS
CHECKS PRESENT
CHECKS PRESENT
NEEDS ACTION
NEEDS ACTION
NEEDS ACTION
NEEDS ACTION

40. CI / CD SOLUTION IS ONE OF THE
IMPORTANT TOOLS FOR DEVSECOPS

41. CI / CD PIPLELINE IS WHERE THE ACTION HAPPENS
BUILD PROCESSES ALONG THAT
1. REVIEW ACCESS ROLES
2. HARDENNING SERVERS AND NODES
3. ARTIFACTS / THIRD PARTY LIBS VALIDATION BEFORE ADDING THEM TO THE TRUNK
4. STATIC CODE ANALYSIS
5. DYNAMIC ANALYSIS

42. MILLION DOLLAR QUESTION ?
WHO BROKE THE BUILD ?

43. DO NOT LET SECURITY BREAK YOUR BUILD
When Cl breaks (and it breaks) it impacts everyone and everything in the process.
Creating a significant delay in the release cycle.
Start implementing security before the Continuous integration stage.
If you have 365 developers and each developer breaks only a single build once a year (usually much
more), you have an average of one build break per day.

44. SECURITY CANNOT BE A BLOCKER IT HAS TO KEEP PACE

45. SECURITY WISH LIST
OPERATIONAL CHECKS
AUTOMATIC FAULT DETECTION
AND CORRECTION
AUTOMATION REMIADIATION
AUTOMATIC AUDITING & FORENSICS
CODE LEVEL CHECKS
SECURE CODING PRACTICES
PRO ACTIVE CONTROLS IN THE CODE
BUILD LEVEL CHECKS
VULNERABILITY CHECKS
CONFIGURATION SCRUBBING
DEPLOY CHECKS
CONTINOUS VULNERABILITY SCANS
PICK ONLY AUTHENTIC IMAGES
GRANT JUST ENOUGH SERVER ACCESS

46. Command and
Control
Low trust
Organizations
Empowered
High trust
Organizations

47. DEVOPS IS FOR HORSES TOO NOT ONLY UNICORNS
MYTH

48. IF YOU CAN DO IT FOR SAP YOU CAN DO IT FOR ANYTHING

49. PROBLEMS & SOLUTIONS
IN FRONT OF US

50. PUSH THE RESPONSIBILTY TO THE DEVELOPERS
Whitepaper : ROI of Shifting Left in your SDLC

51. AIM FOR LESS FALSE POSITIVES
AIM FOR HIGH QUALITY
AIM FOR SPEED OF DELIVERY

52. SECURITY NEEDS MORE THAN JUST LIP SERVICE
Typically the ratio of DEVto OPSto SEC is 100/ 10 / 1

53. APPLICATION SECURITY
ACCOUNTS FOR
ABOUT
29 ~ 40 % OF ALL BREACHES

54. Automatic has issues as
Security Issues if found cannot be
stopped
How To Put The Sec In DevOps – Helen Bravo
Manual has better
control not faster

55. THE NETFLIX WAY
Aardvark and Repokid
PRINCIPLE OF LEAST PRIVILEGE

56. Positive testing determines that your application works
as expected. If an error is encountered during positive
testing, the test fails.
Negative testing ensures that your application can
gracefully handle invalid input or unexpected user
behavior.

57. Invite both sides of the table to the meeting DEV and OPS
Incidents
Threat Modelling
Security Sprints Etc.

58. AVOID FALSE POSITIVES

59. MEASURE MEASURE & MEASURE

60. FEED BACK PENETRATION RESULTS INTO UNIT TESTS

61. CREATE A CULTURE WHICH IS HIGH ON THE SECURITY DNA
Make it public when you fix things and update on internal wiki
Share Point or CMDB for all fixes on Security
Do not make it personal fix the issue not the person
Arrange for tech talks to spread the know how of the fixes
Educate DEV and OPS to read security tool analysis well
Shadow resources who could build capabilities

62. The further right the project is
on the DevOps scale the
further
left it should start
implementing security checks

63. https://developer.akamai.com/blog/2017/10/11/cdns-evolving-role-new-devops-world
DEVOPS EVOLUTION

64. COST OF NOT FIXING AT THE RIGHT TIME
SHIFT LEFT TO GAIN
Courtesy : Tanya Janca, Senior Cloud Developer Advocate, Microsoft

65. MOVE SECURITY UP THE CHAIN IN REVERSE ORDER
Courtesy : Tanya Janca, Senior Cloud Developer Advocate, Microsoft

66. CONTINOUS LEARNING IS KEY

67. ACTION ITEMS POST THIS CONFERENCE

68. Add security verification to Cl/CD Pipelines
Critical security bugs break the build
In the first three months following this presentation you should:
Create Negative Unit Tests from existing positive unit tests
Lessons on top 3 security bugs
High security bugs break the build
Within six months you should:
Regular lessons on AppSec, including a security exercise or simulation
Improvements of security processes for speed and removal of obstacles
Creation of parallel security pipeline
Medium security bugs break the build
NEXT STEPS FOR YOU

69. LIST OF TOOLS OUT THERE

70. USEFUL THOUGHT TO CARRY ☺

71. REFERENCES
1. https://www.linkedin.com/pulse/dynamics-devops-adoption-dr-pallab-saha/
2. https://www.youtube.com/watch?v=Qa_Fq7wWRdA
3. https://developer.akamai.com/blog/2017/10/11/cdns-evolving-role-new-devops-world
4. https://www.youtube.com/watch?v=Qa_Fq7wWRdA
5. https://www.youtube.com/watch?v=i43yWwcQfTs&list=PLjNII-Jkdjfz5EXWlGMBRk63PC8uJsHMo&index=3
6. https://www.youtube.com/watch?v=ayKTn2ZgGJI
7. https://www.youtube.com/watch?v=0KG9XRCKK78&t=108s
8. https://www.waratek.com/waf-to-runtime-protection/
9. https://www.opengroup.org/cio/ReferenceArc-Final1.pdf

72. www.eturnti.com
kiran@eturnti.com
twitter : @eturnti
+91-9886488030
Kiran Divakaran