SlideShare une entreprise Scribd logo

Strengthen and Scale Security Using DevSecOps - OWASP Indonesia

Mohammed A. Imran
Mohammed A. Imran

Strengthen and Scale Security Using DevSecOps - OWASP Indonesia More details here - https://www.practical-devsecops.com/

Logiciels
1  sur  44
Télécharger pour lire hors ligne
Strengthen and Scale security using DevSecOps @secfigoɂ www.teachera.io secfigo@gmail.com OWASP Indonesia Meetup
2 Mohammed A. Imran Senior Security Engineer # whoami Author, Speaker and Community Leader. Speaker/Trainer at Blackhat, AppSec EU, Pycon, All Day DevOps, DevSecCon London, DevSecCon Singapore, Nullcon etc., Organizer of DevSecOps Track in OSS 2018. Project Leader for OWASP DevSecOps Studio, DevSlop, Integra and Awesome-Fuzzing projects. Organised around 100 monthly security meetings and about 50 workshops. SCJP, OSCP, OSCE. AWS-CP, AWS-CSA, AWS-SS
Agile and DevOps 1
Long Long time ago Trivia: how is this related to Singapore ?
5 Traditional SDLC Requirements Gather Requirements from the client/customer Implementation Implement the design agreed upon Maintain Maintain of the software in production Deploy Deploy the software to the production Design Design the software according to the requirements
Business Requirements Development Teams Wall of uncertainty
7 Enter the change Agile Everything changed after agile, much shorter development cycles and faster deploys to production. Speed with which changes are being made is beyond security’s (operations) 🚨 reach. Then Agile Happened
Developers Operations Wall of confusion
9 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu DevOps Development (Software Engineering) Operations (Quality Assurance) DevOps
D 10 Plan & Create Plan and implement the code using source code management (SCM) A Monitor Create Verify Package Release Configure DevOps Verify Test and verify the code does, what business wants. B Package Package the code in a deployable artifact & test it in staging environment C Release Release the artefact as production ready after change/release approvals Configure Configure the application/ stack using configuration management E Monitor Monitor the application for its performance, security and compliance F DevOps Cycle
DevOps Security Wall of compliance
DevOps Security Wall of compliance
14 Traditional Secure SDLC
15 Security is Outnumbered! Dev / Ops / Security 100 / 10 / 1
16 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu By definition, security is part of DevOps. DevSecOps Development (Software Engineering) Security (Quality Assurance) Operations DevSecOps
17 Flexibility With ever changing technology, businesses have to be flexible and fast to deliver value to their customers otherwise they risk losing the business. Reliability Customers need more reliable & available systems. DevOps reduces failure rates and provides faster feedback Resilience DevOps helps organisations in designing and implementing resilient systems. Automation Automation helps to reduce complexity of modern systems and can scale as per needs Speed Speed is competitive advantage and DevOps helps to go to market faster. Development Security (Quality Assurance) Operations DevSecOps DevSecOps Benefits
18 Culture DevOps is about breaking down barriers between teams; without culture other practices fail C A M S Measurement Measuring activities in CI/CD helps in informed decision making among teams Automation Often mistaken as DevOps itself but a very important aspect of the initiative. Sharing Sharing tools, best practices etc., among the teams/organization improves confidence for collaboration. How to DevSecOps ? Core Values of DevOps
Build bridges, not walls!
Build guard rails, not gates! Embed security early and often
Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure. “
Continuous Integration/Deployment 2
23 CI/CD CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting
Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps/DevSecOps CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository
Scale security with DevOps 3
26 DevSecOps Implementation So far we have looked at Principles and Ideas behind DevSecOps but how do we start implementing DevSecOps ? We can use the techniques ( see towards your right hand side) discussed in this course to implement a full blown security pipeline. Everything as Code(EAC Compliance as Code and hardening via configuration management systems Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security Self Service Gives developers and operations visibility into security activities Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
1. Shift Security left Use CI/CD pipeline to embed security early on
CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(Analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting DevOps: Typical Activities
Threat Modelling ASVS Git secrets Dependency Scanning Dependency Scanning Code Analysis(SAST) Security Unit Tests Docker security Testing Git secrets scanning Component scanning ZAP testing - baseline Container Scanning Modsecurity CRS Docker/Third Party SSL scanning Nikto/dirbuster WPScan/JoomScan ZAP + selenium + python Component scanning Docker Benchmark System Hardening Application Hardening Compliance as code SOC with ELK Verify Controls CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitoringArtefact Repository DevOps: Typical Security Activities
2. Self Service Gives developers and operations visibility into security activities
3. Security as Code (EaC) Compliance as Code and hardening via configuration management systems
4. Secure by default Use secure by default frameworks and services
DevSecOps Maturity Model 4
DevSecOps Maturity Model (DSOMM) Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
DevSecOps Maturity Model (DSOMM) Static Depth: How deep is static code analysis ? Dynamic Depth:  How deep are dynamic scans executed ? Intensity:  How intense are the majority of the executed attacks ? Consolidation:  How complete is the process of handling findings ? Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
36 Security Tools in CI/CD 1. Anything which takes more than 10 minutes (me being optimistic), isn’t fit for CI/CD 2. SAST/DAST without creating custom rules/tweaks is of not huge benefit down the line. 3. Create separate jobs for easy debugging later. 4. Roll out tools in phases. 5. Fail builds when critical/high severity issues are found (after you have given devs/ops enough time to learn and get used to the security tools) 6. Link wiki in the scan outputs if someone needs some answers. 7. Tools which provide APIs are huge wins but make sure you at least have a CLI 8. See if your tools does incremental/baseline scans. 9. Some Ability to control the scope and false positives locally is nice (see brakeman/zap/dependency checker). 10. When in doubt ask Developers/QA for the help. 11. Everything as Code (EaC). Auditable, measurable and secure
≈ç Let’s see DevSecOps pipeline in Action DEMO
38 DevSecOps Studio is a virtual environment to learn and teach DevSecOps concepts. Its easy to get started and is mostly automatic. It takes lots of efforts to setup a DevSecOps environment for training/demos and more often, its error prone when done manually. OWASP DevSecOps Studio https://github.com/teacheraio/DevSecOps-Studio/
39 Easy to setup Takes only few mins to setup and start using with just one command A Reproducible The aim of this project is to setup reproducible DevSecOps Lab environment for learning and testing different tools. B Free & Open Source Software This project is a free and open software to help more people learn about DevSecOps C DevSecOps Studio Benefits
40 Our Setup for On-Premise GITLABDeveloper(s) > > >Gitlab CI/CD RUNNER PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production
41 Our Setup for On-Premise Developer(s) > > >JEnkins CI/CD JENKINS SLAVE PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production GITLAB
42 Python security tools Security Test Tool SAST Bandit DAST ZAP Baseline Hardening Ansible Compliance Inspec Git Secrets Trufflehog
43 Conclusion In conclusion, we don't need large sums of money to implement DevSecOps. We can use free and open source tools to showcase the benefits and value DevSecOps provides to the organization(s). Go on, embed security as part of CI/CD Everything as Code(EAC Use Configuration management (IaC) to implement Security as Code Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security early on Self Service Give developers and operations visibility into security activities/tools Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
Thank you! You folks are awesome. @secfigoɂ www.teachera.io secfigo@gmail.com

Recommandé

DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introductionMettje Heegstra
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 

Recommandé

DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introductionMettje Heegstra
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Microsoft DevOps Solution - DevOps
Microsoft DevOps Solution - DevOps Microsoft DevOps Solution - DevOps
Microsoft DevOps Solution - DevOps Chetan Gordhan
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
What is DevOps? | DevOps Introduction | DevOps Tools | DevOps Tutorial For Be...
What is DevOps? | DevOps Introduction | DevOps Tools | DevOps Tutorial For Be...What is DevOps? | DevOps Introduction | DevOps Tools | DevOps Tutorial For Be...
What is DevOps? | DevOps Introduction | DevOps Tools | DevOps Tutorial For Be...Simplilearn
 
Azure DevOps Presentation
Azure DevOps PresentationAzure DevOps Presentation
Azure DevOps PresentationInCycleSoftware
 
DevOps concepts, tools, and technologies v1.0
DevOps concepts, tools, and technologies v1.0DevOps concepts, tools, and technologies v1.0
DevOps concepts, tools, and technologies v1.0Mohamed Taman
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseOpsta
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps IntroductionRobert Sell
 
DevOps Foundation
DevOps FoundationDevOps Foundation
DevOps FoundationHomepree Rloy
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
DevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsDevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsRed Gate Software
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or lessMohammed A. Imran
 

Contenu connexe

Tendances

2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Microsoft DevOps Solution - DevOps
Microsoft DevOps Solution - DevOps Microsoft DevOps Solution - DevOps
Microsoft DevOps Solution - DevOps Chetan Gordhan
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
What is DevOps? | DevOps Introduction | DevOps Tools | DevOps Tutorial For Be...
What is DevOps? | DevOps Introduction | DevOps Tools | DevOps Tutorial For Be...What is DevOps? | DevOps Introduction | DevOps Tools | DevOps Tutorial For Be...
What is DevOps? | DevOps Introduction | DevOps Tools | DevOps Tutorial For Be...Simplilearn
 
Azure DevOps Presentation
Azure DevOps PresentationAzure DevOps Presentation
Azure DevOps PresentationInCycleSoftware
 
DevOps concepts, tools, and technologies v1.0
DevOps concepts, tools, and technologies v1.0DevOps concepts, tools, and technologies v1.0
DevOps concepts, tools, and technologies v1.0Mohamed Taman
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseOpsta
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps IntroductionRobert Sell
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
DevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsDevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsRed Gate Software
 

Tendances (20)

2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Microsoft DevOps Solution - DevOps
Microsoft DevOps Solution - DevOps Microsoft DevOps Solution - DevOps
Microsoft DevOps Solution - DevOps
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
What is DevOps? | DevOps Introduction | DevOps Tools | DevOps Tutorial For Be...
What is DevOps? | DevOps Introduction | DevOps Tools | DevOps Tutorial For Be...What is DevOps? | DevOps Introduction | DevOps Tools | DevOps Tutorial For Be...
What is DevOps? | DevOps Introduction | DevOps Tools | DevOps Tutorial For Be...
 
Azure DevOps Presentation
Azure DevOps PresentationAzure DevOps Presentation
Azure DevOps Presentation
 
DevOps concepts, tools, and technologies v1.0
DevOps concepts, tools, and technologies v1.0DevOps concepts, tools, and technologies v1.0
DevOps concepts, tools, and technologies v1.0
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
 
DevOps Foundation
DevOps FoundationDevOps Foundation
DevOps Foundation
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOpsDevOps 101 - an Introduction to DevOps
DevOps 101 - an Introduction to DevOps
 

Similaire à Strengthen and Scale Security Using DevSecOps - OWASP Indonesia

Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or lessMohammed A. Imran
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}Ajeet Singh
 
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...Edureka!
 
Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?Enov8
 
Introduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptxIntroduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptxLAKSHMIS553566
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineDevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineEnov8
 
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT LeadershipDevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT LeadershipBryan Len
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDev Software
 
Introduction to dev ops
Introduction to dev opsIntroduction to dev ops
Introduction to dev opsAbdul Rahim
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.Techugo
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
 
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesDevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesayoubbahaddouayoub
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdfTechugo
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.Techugo
 

Similaire à Strengthen and Scale Security Using DevSecOps - OWASP Indonesia (20)

Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
 
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
 
Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?Why DevSecOps Is Necessary For Your SDLC Pipeline?
Why DevSecOps Is Necessary For Your SDLC Pipeline?
 
Introduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptxIntroduction to DevOps in Cloud Computing.pptx
Introduction to DevOps in Cloud Computing.pptx
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineDevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps Pipeline
 
DevSecOps on Azure
DevSecOps on AzureDevSecOps on Azure
DevSecOps on Azure
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT LeadershipDevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLC
 
Introduction to dev ops
Introduction to dev opsIntroduction to dev ops
Introduction to dev ops
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
DevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practicesDevOps culture, concepte , philosophie and practices
DevOps culture, concepte , philosophie and practices
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 

Plus de Mohammed A. Imran

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsMohammed A. Imran
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeMohammed A. Imran
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction Mohammed A. Imran
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservicesMohammed A. Imran
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security communityMohammed A. Imran
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 

Plus de Mohammed A. Imran (11)

Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsAutomating security test using Selenium and OWASP ZAP - Practical DevSecOps
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
 
Null Singapore 2015 accomplishments
Null Singapore 2015 accomplishmentsNull Singapore 2015 accomplishments
Null Singapore 2015 accomplishments
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
Null Singapore Introduction
Null Singapore Introduction Null Singapore Introduction
Null Singapore Introduction
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Assembly language part I
Assembly language part IAssembly language part I
Assembly language part I
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
About Null open security community
About Null open security communityAbout Null open security community
About Null open security community
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 

Dernier

Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 

Dernier (20)

Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 

Strengthen and Scale Security Using DevSecOps - OWASP Indonesia

  • 1. Strengthen and Scale security using DevSecOps @secfigoɂ www.teachera.io secfigo@gmail.com OWASP Indonesia Meetup
  • 2. 2 Mohammed A. Imran Senior Security Engineer # whoami Author, Speaker and Community Leader. Speaker/Trainer at Blackhat, AppSec EU, Pycon, All Day DevOps, DevSecCon London, DevSecCon Singapore, Nullcon etc., Organizer of DevSecOps Track in OSS 2018. Project Leader for OWASP DevSecOps Studio, DevSlop, Integra and Awesome-Fuzzing projects. Organised around 100 monthly security meetings and about 50 workshops. SCJP, OSCP, OSCE. AWS-CP, AWS-CSA, AWS-SS
  • 4. Long Long time ago Trivia: how is this related to Singapore ?
  • 5. 5 Traditional SDLC Requirements Gather Requirements from the client/customer Implementation Implement the design agreed upon Maintain Maintain of the software in production Deploy Deploy the software to the production Design Design the software according to the requirements
  • 7. 7 Enter the change Agile Everything changed after agile, much shorter development cycles and faster deploys to production. Speed with which changes are being made is beyond security’s (operations) 🚨 reach. Then Agile Happened
  • 9. 9 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu DevOps Development (Software Engineering) Operations (Quality Assurance) DevOps
  • 10. D 10 Plan & Create Plan and implement the code using source code management (SCM) A Monitor Create Verify Package Release Configure DevOps Verify Test and verify the code does, what business wants. B Package Package the code in a deployable artifact & test it in staging environment C Release Release the artefact as production ready after change/release approvals Configure Configure the application/ stack using configuration management E Monitor Monitor the application for its performance, security and compliance F DevOps Cycle
  • 11.
  • 15. 15 Security is Outnumbered! Dev / Ops / Security 100 / 10 / 1
  • 16. 16 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu By definition, security is part of DevOps. DevSecOps Development (Software Engineering) Security (Quality Assurance) Operations DevSecOps
  • 17. 17 Flexibility With ever changing technology, businesses have to be flexible and fast to deliver value to their customers otherwise they risk losing the business. Reliability Customers need more reliable & available systems. DevOps reduces failure rates and provides faster feedback Resilience DevOps helps organisations in designing and implementing resilient systems. Automation Automation helps to reduce complexity of modern systems and can scale as per needs Speed Speed is competitive advantage and DevOps helps to go to market faster. Development Security (Quality Assurance) Operations DevSecOps DevSecOps Benefits
  • 18. 18 Culture DevOps is about breaking down barriers between teams; without culture other practices fail C A M S Measurement Measuring activities in CI/CD helps in informed decision making among teams Automation Often mistaken as DevOps itself but a very important aspect of the initiative. Sharing Sharing tools, best practices etc., among the teams/organization improves confidence for collaboration. How to DevSecOps ? Core Values of DevOps
  • 20. Build guard rails, not gates! Embed security early and often
  • 21. Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure. “
  • 23. 23 CI/CD CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting
  • 24. Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps/DevSecOps CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository
  • 26. 26 DevSecOps Implementation So far we have looked at Principles and Ideas behind DevSecOps but how do we start implementing DevSecOps ? We can use the techniques ( see towards your right hand side) discussed in this course to implement a full blown security pipeline. Everything as Code(EAC Compliance as Code and hardening via configuration management systems Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security Self Service Gives developers and operations visibility into security activities Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
  • 27. 1. Shift Security left Use CI/CD pipeline to embed security early on
  • 28. CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(Analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting DevOps: Typical Activities
  • 29. Threat Modelling ASVS Git secrets Dependency Scanning Dependency Scanning Code Analysis(SAST) Security Unit Tests Docker security Testing Git secrets scanning Component scanning ZAP testing - baseline Container Scanning Modsecurity CRS Docker/Third Party SSL scanning Nikto/dirbuster WPScan/JoomScan ZAP + selenium + python Component scanning Docker Benchmark System Hardening Application Hardening Compliance as code SOC with ELK Verify Controls CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitoringArtefact Repository DevOps: Typical Security Activities
  • 30. 2. Self Service Gives developers and operations visibility into security activities
  • 31. 3. Security as Code (EaC) Compliance as Code and hardening via configuration management systems
  • 32. 4. Secure by default Use secure by default frameworks and services
  • 34. DevSecOps Maturity Model (DSOMM) Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
  • 35. DevSecOps Maturity Model (DSOMM) Static Depth: How deep is static code analysis ? Dynamic Depth:  How deep are dynamic scans executed ? Intensity:  How intense are the majority of the executed attacks ? Consolidation:  How complete is the process of handling findings ? Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
  • 36. 36 Security Tools in CI/CD 1. Anything which takes more than 10 minutes (me being optimistic), isn’t fit for CI/CD 2. SAST/DAST without creating custom rules/tweaks is of not huge benefit down the line. 3. Create separate jobs for easy debugging later. 4. Roll out tools in phases. 5. Fail builds when critical/high severity issues are found (after you have given devs/ops enough time to learn and get used to the security tools) 6. Link wiki in the scan outputs if someone needs some answers. 7. Tools which provide APIs are huge wins but make sure you at least have a CLI 8. See if your tools does incremental/baseline scans. 9. Some Ability to control the scope and false positives locally is nice (see brakeman/zap/dependency checker). 10. When in doubt ask Developers/QA for the help. 11. Everything as Code (EaC). Auditable, measurable and secure
  • 38. 38 DevSecOps Studio is a virtual environment to learn and teach DevSecOps concepts. Its easy to get started and is mostly automatic. It takes lots of efforts to setup a DevSecOps environment for training/demos and more often, its error prone when done manually. OWASP DevSecOps Studio https://github.com/teacheraio/DevSecOps-Studio/
  • 39. 39 Easy to setup Takes only few mins to setup and start using with just one command A Reproducible The aim of this project is to setup reproducible DevSecOps Lab environment for learning and testing different tools. B Free & Open Source Software This project is a free and open software to help more people learn about DevSecOps C DevSecOps Studio Benefits
  • 40. 40 Our Setup for On-Premise GITLABDeveloper(s) > > >Gitlab CI/CD RUNNER PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production
  • 41. 41 Our Setup for On-Premise Developer(s) > > >JEnkins CI/CD JENKINS SLAVE PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production GITLAB
  • 42. 42 Python security tools Security Test Tool SAST Bandit DAST ZAP Baseline Hardening Ansible Compliance Inspec Git Secrets Trufflehog
  • 43. 43 Conclusion In conclusion, we don't need large sums of money to implement DevSecOps. We can use free and open source tools to showcase the benefits and value DevSecOps provides to the organization(s). Go on, embed security as part of CI/CD Everything as Code(EAC Use Configuration management (IaC) to implement Security as Code Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security early on Self Service Give developers and operations visibility into security activities/tools Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
  • 44. Thank you! You folks are awesome. @secfigoɂ www.teachera.io secfigo@gmail.com