Agile has made it possible to deliver a lot product lines and service lines almost like instant coffee , tea and instant everything. It has created a lot of diverse needs especially the need to keep pace with Dev and Operations and everything is expected to continuous along the pipeline without breaking anything along the way. This would mean features , security , builds , releases and the whole nine yards that go with putting your app or product out there. We shall look at DEVSECOPS along with why everything else associated with this initiative that needs to be continuous . Without this mindset agile shall be a term that shall not have much of relevance let alone deliver a product or feature in the best quality and time frame.
2. Misys
BFL
Consultant and Technology Evangelist
with companies to help them in their
business transformation and digital
transformation journeys
Training and mentoring Architects and
Technology leaders
Enterprise Architecture Expert with the
Digital India Initiative
Ex Vice Chair TOGAF® Standing
Committee
Governing Board Member CCICI
WHAT DO I DO ?
10. In 2017, the Equifax credit reporting agency
used Struts in an online portal, and due to
Equifax not identifying and patching a
vulnerable version of Struts, attackers were
able to capture personal consumer information
such as names, Social Security numbers, birth
dates and addresses of over 148 million US
consumers, nearly 700,000 UK residents, and
more than 19,000 Canadian customers.
EQUIFAX SCAM
12. SALESFORCE.COM GENERATES 50 PERCENT OF ITS
REVENUES VIA ITS API VIA ITS API.
TRAVEL SITE, EXPEDIA, A WHOPPING 90 PERCENT OF
ITS REVENUE IS CONDUCTED VIA ITS API.
18. ENTER
DEV SECOPS / SEC DEV / RUGGED DEV OPS
= SECURITY AUTOMATION AT SCALE
19. IMPACT OF SECURITY ON BUSINESS
Proliferation of Shadow IT
Business Agility impacted due to slow security cycles.
Security unable to keep pace with Business
Adhoc projects and rogue development
True DevOps requires maturity
Slow threat assessments
Not enough patching
Reactive security posture of the company
SECURITY OPERATIONS
20. WHAT ARE WE MISSING HERE ?
Courtesy :Henrik Kniberg
21. 1. We need to discover a solution that is valuable, usable, feasible and viable.
2. We need to deliver a solution that is reliable, scalable, performant and maintainable.
& Of Course SECURE
WHAT WE ARE NOT CAPTURING ARE THE UNDERLYING ISSUES
22. Value Risk - will they use/buy it?
Usability Risk - can they use it?
Feasibility Risk - can we build it?
Business Viability Risk - will this work for our business?
Security Risk – Is our solution vulnerable or hack proof ?
SOLVE OR BRAINSTORM ON THESE RISKS BEFORE YOU WRITE A LINE OF CODE
23. DISCOVERY AND DELIVERY
Courtesy : Marty Cagan SVPG
Build to learn
Build to run a business
DUAL TRACK AGILE - JEFF PATTON
More frequent
Iterations per week
1 or 2 Iterations per week
PRODUCT MANAGERS / DESIGNERS
ENGINEERS
24. Adapted from Courtesy : Marty Cagan SVPG
SECURITY
ADDING SECURITY TO THE ATTRIBUTE LIST
29. By 2021, DevSecOps practices will be embedded
in 80 per cent of development teams, up from 15
per cent in 2017.
-Gartner
30. DEV SEC OPS - WHY
Pace of innovation meets – Pace of Security Automation
Scalable Architectures need Scalable Security
Vulnerabilities need to be healed at the rate at which software is getting churned.
Risk Identification and Remediation at the speed of delivery
31. Slow threat assessments
Can't patch fast enough
Reactive security posture
Lack of business agility
Slow to onboard new customers
Slow turn around time
Trailblazer dev projects gone wrong
Lack of SecOps agility
PROBLEMS AS THEY STAND
33. WHAT WE NEED ?
MONITORING
&
SECURITY
TO BE ADDED TO
MAKE IT CONTINOUS
PLAN – CODE –BUILD-TEST-RELEASE-DEPLOY-OPERATE-MONITOR-PLAN
34. CLOUD ADDS TO THE COMPLEXITY
MOVING TO THE CLOUD
BABY STEPS
MORE THAN ONE
CLOUD
MULTI
CLOUD SCENARIO
SECURITY RESOURCES
& CHECKLISTS
COMPLIANCE AND
REGULATIONS
OPEX
36. WHAT DEVELOPERS WANT ?
Ease of checking in and checking out
Able to play and experiment with emerging technologies
Ability to push code regardless of the platform
ABOVE ALL A GOOD NIGHTS SLEEP
37. DEVS
DEV
ITIL COMPLIANCE
REDUCE CARBON
FOOTPRINT
TEST
GO GREEN
SUPPORT DIFF ENVS
TICKETING
SECURITY
VIRTUALIZE
CMRB
PCI DSS
KEEP THE LIGHTS ON
WRITE CODE
TEST SOME AND
RELEASE
HOW OPERATIONS FOLKS SEE DEVELOPERS
NETWORKS
OS
ACCESS CONTROL
38. WHAT MAKES SECURITY FOLKS RELAX
ALL VULNERABILITIES ARE DISCOVERED AND FIXED IN TIME
ALL COMPLIANCES AND REGULATIONS ARE MET
ALL ATTACKS HAVE A PLANNED STRATEGY AND NO SURPISES
ABLE TO KEEP IN PACE WITH THE SPEED OF DEVELOPMENT
AUTOMATED PROCESSES FOR STATIC AND DYNAMIC TEST ( SAST , DAST , IAST )
39. WHAT WE NEED IS TOOLS AND PROCESS ?
MONITORING
&
SECURITY
TO BE ADDED TO
MAKE IT CONTINOUS
CHECKS PRESENT
CHECKS PRESENT
NEEDS ACTION
NEEDS ACTION
NEEDS ACTION
NEEDS ACTION
40. CI / CD SOLUTION IS ONE OF THE
IMPORTANT TOOLS FOR DEVSECOPS
41. CI / CD PIPLELINE IS WHERE THE ACTION HAPPENS
BUILD PROCESSES ALONG THAT
1. REVIEW ACCESS ROLES
2. HARDENNING SERVERS AND NODES
3. ARTIFACTS / THIRD PARTY LIBS VALIDATION BEFORE ADDING THEM TO THE TRUNK
4. STATIC CODE ANALYSIS
5. DYNAMIC ANALYSIS
43. DO NOT LET SECURITY BREAK YOUR BUILD
When Cl breaks (and it breaks) it impacts everyone and everything in the process.
Creating a significant delay in the release cycle.
Start implementing security before the Continuous integration stage.
If you have 365 developers and each developer breaks only a single build once a year (usually much
more), you have an average of one build break per day.
45. SECURITY WISH LIST
OPERATIONAL CHECKS
AUTOMATIC FAULT DETECTION
AND CORRECTION
AUTOMATION REMIADIATION
AUTOMATIC AUDITING & FORENSICS
CODE LEVEL CHECKS
SECURE CODING PRACTICES
PRO ACTIVE CONTROLS IN THE CODE
BUILD LEVEL CHECKS
VULNERABILITY CHECKS
CONFIGURATION SCRUBBING
DEPLOY CHECKS
CONTINOUS VULNERABILITY SCANS
PICK ONLY AUTHENTIC IMAGES
GRANT JUST ENOUGH SERVER ACCESS
56. Positive testing determines that your application works
as expected. If an error is encountered during positive
testing, the test fails.
Negative testing ensures that your application can
gracefully handle invalid input or unexpected user
behavior.
57. Invite both sides of the table to the meeting DEV and OPS
Incidents
Threat Modelling
Security Sprints Etc.
61. CREATE A CULTURE WHICH IS HIGH ON THE SECURITY DNA
Make it public when you fix things and update on internal wiki
Share Point or CMDB for all fixes on Security
Do not make it personal fix the issue not the person
Arrange for tech talks to spread the know how of the fixes
Educate DEV and OPS to read security tool analysis well
Shadow resources who could build capabilities
62. The further right the project is
on the DevOps scale the
further
left it should start
implementing security checks
68. Add security verification to Cl/CD Pipelines
Critical security bugs break the build
In the first three months following this presentation you should:
Create Negative Unit Tests from existing positive unit tests
Lessons on top 3 security bugs
High security bugs break the build
Within six months you should:
Regular lessons on AppSec, including a security exercise or simulation
Improvements of security processes for speed and removal of obstacles
Creation of parallel security pipeline
Medium security bugs break the build
NEXT STEPS FOR YOU