The document discusses integrating security practices within DevOps environments. It begins by introducing DevOps and noting that traditional security controls like penetration testing and code analysis are too slow for continuous deployment. It then outlines a three step approach to DevOps security: 1) Plan security requirements upfront, 2) Engage developers in security, and 3) Automate security checks into the continuous integration/deployment pipeline. The key takeaways are to plan security thoroughly, involve developers, and integrate security testing automatically into the build process.

1. DevOps and Security: It’s Happening. Right Now.
Helen Bravo
Director of Product Management at Checkmarx
Helen.bravo@checkmarx.com

2. • Intro to DevOps
• Integrating security within DevOps
– Problems with traditional controls
– Steps to DevOps security
Agenda

3. What is DevOps About?
An unstoppable deployment process
… in small chunks of time

4. DevOps is Happening
Companies that have adopted DevOps

5. Can TRADITIONAL
web application
security controls fit
in…
… a DevOps environment?!

6. Traditional Web Application Security Controls
• Penetration Testing
• WAF (Web Application Firewall)
• Code Analysis

7. Penetration Testing- Takes Time!

8. Penetration Testing
– 300 pages report
– 3 weeks assessment time
– 2 weeks to get it into development

9. Web Application Firewall (WAF)
Thinking Continuous
Deployment?
Think Continuous
Configuration!

10. Code Analysis
• Setup time
• Running time
• Analysis time
… just too slow!

12. … Do Nothing?

13. Required: A New Secure SDLC Approach

14. Step by Step

15. Step 1: Plan for Security

16. • Identify unsecured APIs and frameworks
• Map security sensitive code portions. E.g. password
changes mechanism, user authentication
mechanism.
• Anticipate regulatory problems, plan for it.
Step 1: Plan for Security

17. Step 2: Engage the Developers.
And Be Engaged

18. • Connect developers to security
– Going to OWASP? Bring a developer with you!
• Is your house on fire? Share the details with your
developers.
• Have an open door approach
• Set up an online collaboration platform E.g. Jive,
Confluence etc.
Step 2: Engage the Developers. And Be Engaged

19. Step 3: Arm the Developers

20. • Secure frameworks:
– Use a secure framework such as Spring Security, JAAS, Apache
Shiro, Symfony2
– ESAPI is a very useful OWASP security framework
• SCA tools that can provide security feedback on pre-commit stage.
– Rapid response
– Small chunks
Step 3: Arm the Developer

21. Step 3: Automate the Process

22. • Integrate within your build (Jenkins, Bamboo,
TeamCity, etc.)
– SAST
– DAST
• Fail the build if security does not pass the bar.
Step 3: Automate the Process

23. Develop
Code
Commit
Source
Control
Build
Trigger
Unit Tests
Deploy
to
Production
Deploy to
Test Env
Report
&
Notify
Publish to
release
repository
Continuous Deployment

24. Develop
Code
Commit
Source
Control
Build
Trigger
Tests
Deploy
to
ProductionDeploy
to Test
Env
Report
&
Notify
Publish to
release
repository
Automatic
security
test
SCA
Test
Security within Continuous Deployment

25. Step 5: Use Old Tools Wisely

26. Step 5: Use Old Tools Wisely
• Periodic pen testing
• WAF on main functions
• Code review for security sensitive code portions.

27. Summary

28. • DevOps is happening. Right Now.
– During the time of this talk, Amazon has released
75 features and bug fixes.
• Security should not be compromised
• Don’t be overwhelmed. Start small
Summary

29. The 3 Takeaways
1. Plan from the ground
2. Engage with your developers
3. Integrate security into automatic build
process.

30. Questions?

31. Thank you
Helen.bravo@checkmarx.com