Más contenido relacionado


DevSecOps Basics with Azure Pipelines

  1. DevSecOps Using Azure Pipelines for Continuous CI CD and Security Mohammed Abdul Mujeeb
  2. Agenda • What is DevOps • DevOps using Azure Pipelines • What is DevSecOps • Why do we need DevSecOps • Demo - DevSecOps using Azure Pipelines
  3. Build Cycle
  4. DevOps • A compound of development (Dev) and operations (Ops), DevOps is the union of people, process, and technology to continually provide value to customers - Microsoft Definition • Any thing that speeds application delivery - Simplified • Automation plays an important role in speeding application delivery
  5. Azure DevOps • Set of tools to achieve DevOps • 5 Modules - Boards, Repos, Pipelines, Test Plan, Artifacts • Azure Pipelines - CI and CD tool
  6. Terminologies • Continuous Integration (CI) - Automated building of code • Continuous Delivery (CD) - Deployment ready, but not all changes will be deployed to production • Continuous Deployment (CD) - Automated deployment to production
  7. Demo Architecture
  8. Demo - Basic DevOps Process 1. Developer makes changes in IDE (VSCode) 2. Developer pushes the code to GIT 3. The push triggers automated build (CI) using Azure pipelines 4. The CI pulls latest source code, builds docker image and pushes docker image to Azure Container Registry (ACR) 5. Successful deployment to ACR triggers CD via Releases 6. The Release Pipeline deploys code to the App Service
  9. Basic DevSecOps Process • Design - Threat Modeling and Risk Assessment • Development - SAST Scan on IDE, Code Reviews • Continuous Integration (CI) - Security Unit Tests, Static Application Security testing, Open Source Analysis, Container Scanning • Continuous Delivery (CD) - Compliance Check, Dynamic Application Security Scanning, Infrastructure Security, Penetration testing • Continuous Deployment (CD) - Compliance Check, Runtime Defense • Security in Production - Monitoring, SSL Configuration,
  10. Challenges • Security as an after thought • Quick software release cycles • Moving workloads to cloud • Organizational Culture
  11. DevSecOps • Shift Security Left • Integrates security with DevOps without slowing down SDLC • Automates Security within the DevOps Workflow • Secure Continuous Development • Is not just about using bunch of security tools. It’s about people, process and tools
  12. DevSecOps for Business • An organization developing software in-house • An organization outsourcing software development • An organization procuring software from a vendor
  13. Tools of the trade • Threat Modeling - Microsoft Threat Modeling .. • SAST Scan - Checkmarx, SonarCloud, Open Source .. • OSA - Whitesource, BlackDuck, OWASP Dependency Check .. • Container Scan - Aqua, Twistlock, Anchore, Clair .. • DAST Scan - OWASP ZAP, TinFoil .. • Many other tools based on the requirement • Prefer open source tools to start
  14. Demo Secure CI and CD using Azure Pipelines Steps - 1. SAST scan using SonarCloud 2. Open Source Scan scan using Whitesource Bolt 3. Container Scan using Anchore 4. DAST Scan using OWASP Zap 5. Compliance Scan on the cloud infrastructure