1.
PAGE
1
DEVOPS INDONESIA
PAGE
1
DEVOPS INDONESIA
Yohanes Syailendra, M.Kom
DKATALIS
Jakarta, 8 Maret 2022
DevSecOps Implementation Journey

2.
DevSecOps
Implementation
Journey

3.
#whoami
Yohanes Syailendra, M.Kom
LPT, ECSA, CEH, CPSA, CHFI, CEI
• DevSecOps Lead
• DFIR Consultant
• Malware Researcher
• Threat Intelligence Researcher
• Research Leader Indonesia Honeynet
Project

4.
What is DevSecOps?
→ Is the ART to shifting security point of view to the left,
broaden the security controls, not only on the later stage of
development lifecycle, but every process of Development
itself
Why DevSecOps in DK?
1. Faster time-to-market because all the developer already
understand what they lacking of before app release
2. Minimize the Security vulnerabilities findings at later stage
(pentest)
3. More security visibility (up to Source code and third party
module level)
4. Automation everywhere

5.
Why Shifting to the Left?
Pentest Pentest

6.
DevOps Lifecycle

7.
In DevOps, Pipeline is everything

8.
Security in DevOps
Security Awareness
Sprint Pentest

9.
Culture> Processes> Architecture> Automation> Measurement
Application Security Engineering (DevSecOps)

10.
9
Our Technology Stacks

11.
10
DevSecOps Architecture
Developer Commit their
code to Gitlab SCM
DK Developers &
Tech Leads
SCM and CI/CD
Platform
2
CI/CD trigger
scan using
SCA & IAC
scanner &
SAST tool
3
SAST Tool
Code Phase Build Phase Release Phase
CI/CD trigger
scan using DAST
5
Plan Phase
App / Feature
Design and RFC
Process
Define Threat
Modelling for each
app
1
Threat Modelling
Tool DAST Tool
Correlation
Dashboard
CI/CD trigger to scan
the docker image
4
Container
Security
Container
RASP
7
Container
Security
Mobile App Shielding
Perform App
Shielding 6
Verify Phase

12.
DevSecOps - SAST & SCA

13.
DevSecOps - DAST

14.
DevSecOps - Infrastructure as Code Scanner

15.
Establishing security as an
enabler of cloud transformation
within Masan
Creating and embedding
security engineering as a
competency, to integrate security
throughout the development
lifecycle of applications and
products
Uplifting internal capability
across technology teams, to
ensure that people are skilled
up/reskilled on security aspects of
the cloud, through training and
continuous enablement.
Embracing a culture of review
with clear processes designed to
scale without impeding velocity.
eg. code/config reviews with clear
expectations and education of
developers and reviewers
Creating platforms and systems
that are secure-by-design for
the cloud
➢ Zero trust - Shifting from
perimeter-based security to
a model of no implicit trust
➢ Service identities -
Establishing security based
on identity rather than
infrastructure
➢ Standardised policy
enforcement - Integrating
common policy/pipeline
controls at scale
➢ Frequent, automated
rollouts - Enabling rapid
changes to address new
threats
➢ Isolation between
workloads - Giving security
assurance at a micro-level for
the hyperscale
➢ Reusable frameworks and
hardened templates that
enable secure-by-design
architecture and application
development in the cloud
Security Engineering
Defining a strong cloud security,
governance and compliance
posture
Establishing a
control-framework that provides
clear guidelines and expectations
of development teams
Policy-as-code to automate
policy management frameworks
and enable continuous validation
Shifting-left to integrate
security tooling with engineers
as early-as-possible in the
application lifecycle (early
feedback loops/DevSecOps)
A rapid, secure onboarding path
for application teams to use the
cloud
Enabling proactive and
automated security response
and remediation
Integrating logging, monitoring
and threat intelligence feeds to
bring centralized/standardized
visibility to cloud environments and
identify events of high
security/business risk
Establishing cloud forensics and
threat hunting capabilities to
enable advanced security
investigations and incident
response
Deploying security
orchestration and automated
response tooling and playbooks
to provide rapid response and
minimize the impact of cloud
security incidents
Security Culture Policy Management Security Operations
14
DevSecOps is not only about tooling

16.
OWASP DevSecOps Maturity
Guide: https://dsomm.timo-pagel.de/

17.
Actionable Learning
1. AIM BIG, START SMALL, DevSecOps is a Journey not a one
time project
2. Developers are your best friend. Work with them all the time
3. Don’t be a stopper for the pipeline at first, learn how DevOps
works in stages
4. DevSecOps is not only about tooling, but develop a security
mindset, process and cultures across developers
5. Security Team need to learn about coding practice,
especially DevOps environment and tools they used, a full
synergy with Developers is a must
6. Finding a vulnerability is very important, but closing the
vulnerability more important
7. Do research on what technology fits your environment. Not
every good tool can fit your pipelines

18.
Stay Connected With Us!
t.me/iddevops
DevOps Indonesia
DevOps Indonesia
DevOps Indonesia
@iddevops
@iddevops
DevOps Indonesia
Scan here

19.
PAGE
20
DEVOPS INDONESIA
Alone Weare smart,together Weare brilliant
THANKYOU !
Quote by Steve Anderson