Today everybody wants to deploy the app and infrastructure faster without any disputes. An Even, Agile framework can help to deploy faster in real-time. But Continuous Innovation may conflict with stability and security. Without security at every stage, DevOps merely introduces vulnerabilities into application quickly. To resolve such conflict, the gap in recursive feedback loops need to be eliminated. Mostly, teams are not effectively working in a collaboration and interacting with each other smoothly. This results in gaps and produce problems with code development and quality, meaning slower delivery plans and serious vulnerabilities that create security risk at most. Fortunately, these shortcomings can be addressed very well, as developers/testers are set to launch off into the DevSecOps world or via adopting rugged DevOps model.
4. DevSECOps History
2004
• DevOps.com Registered
2010
• DevOps rise
2012
• Gartner introduced DevOpsSec and then DevSecOps
2013
• DevSecOps is on our Radar
2016-17
• Where are we?
7. People
• Social Engineering
• Phishing,
spamming
Processes
• Gaps
• Monolithic
approaches
Technology
• Complex systems
• Reusable
components
Hackers’
favorite
https://www.slideshare.net/SeniorStoryteller/the-journey-to-devsecops
8. Untold Truth
Security teams
comes at last once
risks is announced
occasionally
Hackers can find security
loop holes multiple times
in a day
DevOps teams
make security
decisions along
with CI/CD multiple
times in a day
9. Shared Security Model
On-Premises Infrastructure Platform Software
Applications Applications Applications Applications
Data Data Data Data
Runtime Runtime Runtime Runtime
Middleware Middleware Middleware Middleware
OS OS OS OS
Virtualization Virtualization Virtualization Virtualization
Servers Servers Servers Servers
Storage Storage Storage Storage
Networking Networking Networking Networking
Managed by YOU Managed by Provider
12. With a common goal
Everyone must be a responsible for Security and
everyone one has a role to play!
A blaming culture is dangerous, Avoid it.
Reacting can be costlier proposition…have built-in
security
Continuously Build, Test, Deploy and Improve
Mistakes happen, but with frequent build…you will get
frequent opportunities to correct the defects
Protection is Ideal, Detection is a Must
13. Practice for a DevSecOps
Use IAM and Role based ACL
Follow Simple Risk and Threat Model
Scan Custom Code, Apps and APIs (IAST, SAST, DAST)
Scan for OSS issues in development
Scan for vulnerabilities and correct configurations in all environments
Have Security as a Code!
5x Faster MTTR in blameless teams
14. Some More practices
Whitelisting on
production systems
•Including container
based systems
Assume Compromise
•Monitor everything
•Design for rapid
detection and
response
Lockdown Production
Infrastructure and
Services
• No SSH, Only
APIs and
scripts
Source: Gartner (September 2016)
15. Attack Driven Testing
Server Errors: 500, 501, 502…
XSS attempts
Password resets
Login failures
Asserts
Page is not available for Google crawl
Page requires sign-in
Port is not open
Reuse unit tests to test your all Envs.
Apply antivirus for your code also
Use post-mortems for each fix
Automate
your
verificatio
n process