SlideShare ist ein Scribd-Unternehmen logo
1 von 19
Demonstrating
Benefits of DevSecOps
for Secure Code and Operations
Finto Thomas
Event : 8th Dec 2020 - GISEC 2020 - Dubai
Finto Thomas
Cybersecurity Architect and Strategist
• 15 Years in IT and Information Security domains across multiple industries
• Presently at Alef Education and Leading Information Security function
• Previously worked at IBM and Wipro, across multiple geo locations
• Key Certifications: CISSP, SABSA, TOGAF, CISM, SANS-GSTRT
Connect with me @FintoNT LinkedIn
Disclaimer : The views expressed in these slides are my own. They do not represent the position of my
current and past employers
@FintoNT 2#GISEC 2020
Topics Covered
• Embedding Security into DevOps
• Benefits and Constraints
• Key Takeaways
#GISEC 2020 @FintoNT 3
Before we get in to DevSecOps – Let us see how DevOps works
#GISEC 2020 @FintoNT 4
Developer Source Code
Repository
Build CI/CD Server
QA
Staging
Production
& Monitor
✗
Instant Feedback
DevOps + Security = DevSecOps
#GISEC 2020 @FintoNT 5
✓
Start End
Build
✓
Artifactory
Deploy
✓
Staging
Setup
✓
Staging Deploy
✓
Production
Deploy
✓
UAT
✓
Start End
Build
✓
Artifactory
Deploy
✓
Staging
Setup
✓
Staging Deploy
Production
Deploy
✓
UAT
✓
SCA
✓
SAST
✓
DAST
✓
Infrastructure
Vul Scan
✓
Production
Setup
✓
Production
Setup
✓
Compliance
Check
✓
Production
Approval
✓
Production
Approval
✓✗
Instant Feedback
SCA – 600 Alerts
SAST – 1000 Alerts (false positive included)
DAST – 5 Alerts
DevOps
DevSecOps
DevOps Pipeline
#GISEC 2020 @FintoNT 6
Plan Code Build Test Release Deploy Operate Monitor
Design Sprint
define Use Case
Prioritization
Stakeholders
Code
Development
Source Code
Management
Review &
Merging
Continues
Integration
Build Status
Packaging
Artifact
Repository
Pre deployment
Staging
Provisioning
Infrastructure
Orchestration
Configuration Management
Performance
Monitoring
Application
Monitoring
Alerting
Continues Test
Feedback
UAT
DevSecOps Phases mapped to type of security tools
#GISEC 2020 @FintoNT 7
Plan Code Build Test Release Deploy Operate Monitor
IDE Plugin
Pre Commit
hooks
Secrets
Management
SAST
SCA
Feedback on business Risk
DevSecOps - CI CD Pipeline
Threat Modeling
Security Use
Case
Prioritization
Regulations
Policies
Container
Security
System
Hardening
DAST
Compliance
Web Application
Firewall
Vulnerability
Management
PAM
Security function benefits from DevSecOps
#GISEC 2020 @FintoNT 8
Rapid Business value delivery Rapid user feedback Scalable and Auto SizingFast to Market, Market Edge
1. Shift Left – Security is baked-in in early stages
2. Products have inbuilt security controls – Robust , Secure products to market
3. Less vulnerable product – Build test will fail automatically while developer “commit” (save) the code
4. Security is everyone's responsibility – Better collaboration among the whole app development chain
5. High Returns on security Investment – Early detection and remediation save effort and time
Developers benefits from DevSecOps
#GISEC 2020 @FintoNT 9
Rapid Business value delivery Rapid user feedback Scalable and Auto SizingFast to Market, Market Edge
1. Instant feedback - Developers getting faster feed back on security tests and use cases (~5 mints)
2. No more surprises from Security reports – Security is a part of pipeline and transparent to all
3. Better Security awareness and collaboration – One Team + One agenda + One delivery
Operational benefits from DevSecOps
#GISEC 2020 @FintoNT 10
Rapid Business value delivery Rapid user feedback Scalable and Auto SizingFast to Market, Market Edge
1. Early detection and prevention systems – Security threats and Incidents can be identified early stages of pipeline
2. Easy to fix production issues– Isolate it with out production impact
3. Expectations are more clear and simple – Compliance , Hardening etc are established in early stages as “user
stories”
4. Automation reduces Ops team effort from security maintenance – repeatable remediation steps can be automated
Key constraints
#GISEC 2020 @FintoNT 11
1. Asset/Service Inventory, tracking and billing – Orphan and testing containers and systems
2. Identity and Access Management - Hardcoded and decentralized credentials
3. High Cost of Enterprise Tools & limitations – Language specific , Cloud licensing need attention
4. Skill shortage on DevSecOps – Market adoption still in early stages
5. Adoption of new mindset and tools – Definition of perimeter changes and it is no more traditional
DevSecOps =
#GISEC 2020 @FintoNT 12
New Culture + New Skills + Automation
People
ProcessTools
Scalable
Culture
Innovation
Skills
Speed
Automation
Success
DevSecOps
Methodologies and Culture
#GISEC 2020 @FintoNT 13
1. Embrace Developers with right tools and advises, find Security tools that Developers will actually use
2. Security needs to adopt Agile – Sprint models and process that’s fit for new environments. Automation is key.
3. Identify and eliminate the Risk early as possible in the workflow with relevant prioritizations and trade-offs
Peoples and Skills
#GISEC 2020 @FintoNT 14
Zero Trust
3. Collaborate on Problem solving, avoid blame game
1. Build Personal Trust and break silos
2. Encourage Security mindsets and Security champions with relevant trainings and incentive programs
Tools and Technologies
#GISEC 2020 @FintoNT 15
3. Traditional Security tools often do not work with new environment
2. Traditional Security solutions are logically valuable, but need to adopt with new environment
1. Adopt new programable tools, which Developers really use, Security team role is advisory and enablers
Maturity Assessment
#GISEC 2020 @FintoNT 16
https://www.slideshare.net/derweeksglobal/abn-amro-devsecops-journey
1. OWASP 2. ABN AMRO Model (level 5)
https://owasp.org/www-project-devsecops-maturity-model/
Key Takeaways
Technology and Tools Process and Methodologies People and Skills
#GISEC 2020 @FintoNT 17
DevSecOps = New Culture + New Skills + Automation
Bake in Security into DevOps flow,
do not try to bolt security later
Security control must be
programable and automated
wherever possible
Keep an eye on simpler and better
programable options
Use tools and methods that
developer team actually use
Adopt Agile and lean methods
Involve security as early as possible
in the workflow and best to do at
design & planning phase
Fix by priorities, do not attempt to
fix it all
DevSecOps feedback process must
be smooth and governed
Metric and KPI needs to relevant
and easy to generate
Build personal relations and trust
Break silos; do not isolate
Identify and nurture “security
champions” in each team
Focus on problem and solution; Do
not blame the person or team
Conduct short and repeatable
training sessions and training
videos
External Documents referred
• https://www.blackhat.com/docs/us-17/thursday/us-17-Lackey-Practical%20Tips-for-Defending-Web-Applications-in-the-Age-
of-DevOps.pdf
• https://dzone.com/articles/effective-devsecops
• https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Shrivastava-DevSecOps.pdf
• https://www.sonatype.com/hubfs/2018%20State%20of%20the%20Software%20Supply%20Chain%20Report.pdf
• https://www.veracode.com/state-of-software-security-report#snap__subnav_51096
• https://docs.aws.amazon.com/whitepapers/latest/introduction-devops-aws/two-pizza-teams.html
• https://www.infoq.com/presentations/devsecops-2019/
• https://owasp.org/www-project-devsecops-maturity-model/
#GISEC 2020 @FintoNT 18
#GISEC 2020 @FintoNT 19

Weitere ähnliche Inhalte

Was ist angesagt?

DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 

Was ist angesagt? (20)

DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 

Ähnlich wie Benefits of DevSecOps

RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfEnov8
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueRapidValue
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXNGINX, Inc.
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Enterprise IoT solution in 30 days
Enterprise IoT solution in 30 days Enterprise IoT solution in 30 days
Enterprise IoT solution in 30 days Manolis Nikiforakis
 
Synopsys_site.pptx
Synopsys_site.pptxSynopsys_site.pptx
Synopsys_site.pptxArthur528009
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 

Ähnlich wie Benefits of DevSecOps (20)

RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValue
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Enterprise IoT solution in 30 days
Enterprise IoT solution in 30 days Enterprise IoT solution in 30 days
Enterprise IoT solution in 30 days
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Synopsys_site.pptx
Synopsys_site.pptxSynopsys_site.pptx
Synopsys_site.pptx
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 

Mehr von Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS (9)

Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0
 
Deception ey
Deception ey Deception ey
Deception ey
 
Threathunting v0.1
Threathunting v0.1Threathunting v0.1
Threathunting v0.1
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
 
Network & security startup
Network & security startupNetwork & security startup
Network & security startup
 
Idps technology starter v2.0
Idps technology starter v2.0Idps technology starter v2.0
Idps technology starter v2.0
 
Data lake protection ft 3119 -ver1.0
Data lake protection   ft 3119 -ver1.0Data lake protection   ft 3119 -ver1.0
Data lake protection ft 3119 -ver1.0
 
Virtualization & tipping point
Virtualization & tipping pointVirtualization & tipping point
Virtualization & tipping point
 
Finto InfoSec ExIBM- CISSP ITIL CCSP CCIE JNCIS MCP 8.5 Yrs
Finto InfoSec ExIBM- CISSP ITIL CCSP CCIE  JNCIS MCP 8.5  YrsFinto InfoSec ExIBM- CISSP ITIL CCSP CCIE  JNCIS MCP 8.5  Yrs
Finto InfoSec ExIBM- CISSP ITIL CCSP CCIE JNCIS MCP 8.5 Yrs
 

Kürzlich hochgeladen

Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdfAndrey Devyatkin
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfmaor17
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfRTS corp
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 

Kürzlich hochgeladen (20)

Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdf
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 

Benefits of DevSecOps

  • 1. Demonstrating Benefits of DevSecOps for Secure Code and Operations Finto Thomas Event : 8th Dec 2020 - GISEC 2020 - Dubai
  • 2. Finto Thomas Cybersecurity Architect and Strategist • 15 Years in IT and Information Security domains across multiple industries • Presently at Alef Education and Leading Information Security function • Previously worked at IBM and Wipro, across multiple geo locations • Key Certifications: CISSP, SABSA, TOGAF, CISM, SANS-GSTRT Connect with me @FintoNT LinkedIn Disclaimer : The views expressed in these slides are my own. They do not represent the position of my current and past employers @FintoNT 2#GISEC 2020
  • 3. Topics Covered • Embedding Security into DevOps • Benefits and Constraints • Key Takeaways #GISEC 2020 @FintoNT 3
  • 4. Before we get in to DevSecOps – Let us see how DevOps works #GISEC 2020 @FintoNT 4 Developer Source Code Repository Build CI/CD Server QA Staging Production & Monitor ✗ Instant Feedback
  • 5. DevOps + Security = DevSecOps #GISEC 2020 @FintoNT 5 ✓ Start End Build ✓ Artifactory Deploy ✓ Staging Setup ✓ Staging Deploy ✓ Production Deploy ✓ UAT ✓ Start End Build ✓ Artifactory Deploy ✓ Staging Setup ✓ Staging Deploy Production Deploy ✓ UAT ✓ SCA ✓ SAST ✓ DAST ✓ Infrastructure Vul Scan ✓ Production Setup ✓ Production Setup ✓ Compliance Check ✓ Production Approval ✓ Production Approval ✓✗ Instant Feedback SCA – 600 Alerts SAST – 1000 Alerts (false positive included) DAST – 5 Alerts DevOps DevSecOps
  • 6. DevOps Pipeline #GISEC 2020 @FintoNT 6 Plan Code Build Test Release Deploy Operate Monitor Design Sprint define Use Case Prioritization Stakeholders Code Development Source Code Management Review & Merging Continues Integration Build Status Packaging Artifact Repository Pre deployment Staging Provisioning Infrastructure Orchestration Configuration Management Performance Monitoring Application Monitoring Alerting Continues Test Feedback UAT
  • 7. DevSecOps Phases mapped to type of security tools #GISEC 2020 @FintoNT 7 Plan Code Build Test Release Deploy Operate Monitor IDE Plugin Pre Commit hooks Secrets Management SAST SCA Feedback on business Risk DevSecOps - CI CD Pipeline Threat Modeling Security Use Case Prioritization Regulations Policies Container Security System Hardening DAST Compliance Web Application Firewall Vulnerability Management PAM
  • 8. Security function benefits from DevSecOps #GISEC 2020 @FintoNT 8 Rapid Business value delivery Rapid user feedback Scalable and Auto SizingFast to Market, Market Edge 1. Shift Left – Security is baked-in in early stages 2. Products have inbuilt security controls – Robust , Secure products to market 3. Less vulnerable product – Build test will fail automatically while developer “commit” (save) the code 4. Security is everyone's responsibility – Better collaboration among the whole app development chain 5. High Returns on security Investment – Early detection and remediation save effort and time
  • 9. Developers benefits from DevSecOps #GISEC 2020 @FintoNT 9 Rapid Business value delivery Rapid user feedback Scalable and Auto SizingFast to Market, Market Edge 1. Instant feedback - Developers getting faster feed back on security tests and use cases (~5 mints) 2. No more surprises from Security reports – Security is a part of pipeline and transparent to all 3. Better Security awareness and collaboration – One Team + One agenda + One delivery
  • 10. Operational benefits from DevSecOps #GISEC 2020 @FintoNT 10 Rapid Business value delivery Rapid user feedback Scalable and Auto SizingFast to Market, Market Edge 1. Early detection and prevention systems – Security threats and Incidents can be identified early stages of pipeline 2. Easy to fix production issues– Isolate it with out production impact 3. Expectations are more clear and simple – Compliance , Hardening etc are established in early stages as “user stories” 4. Automation reduces Ops team effort from security maintenance – repeatable remediation steps can be automated
  • 11. Key constraints #GISEC 2020 @FintoNT 11 1. Asset/Service Inventory, tracking and billing – Orphan and testing containers and systems 2. Identity and Access Management - Hardcoded and decentralized credentials 3. High Cost of Enterprise Tools & limitations – Language specific , Cloud licensing need attention 4. Skill shortage on DevSecOps – Market adoption still in early stages 5. Adoption of new mindset and tools – Definition of perimeter changes and it is no more traditional
  • 12. DevSecOps = #GISEC 2020 @FintoNT 12 New Culture + New Skills + Automation People ProcessTools Scalable Culture Innovation Skills Speed Automation Success DevSecOps
  • 13. Methodologies and Culture #GISEC 2020 @FintoNT 13 1. Embrace Developers with right tools and advises, find Security tools that Developers will actually use 2. Security needs to adopt Agile – Sprint models and process that’s fit for new environments. Automation is key. 3. Identify and eliminate the Risk early as possible in the workflow with relevant prioritizations and trade-offs
  • 14. Peoples and Skills #GISEC 2020 @FintoNT 14 Zero Trust 3. Collaborate on Problem solving, avoid blame game 1. Build Personal Trust and break silos 2. Encourage Security mindsets and Security champions with relevant trainings and incentive programs
  • 15. Tools and Technologies #GISEC 2020 @FintoNT 15 3. Traditional Security tools often do not work with new environment 2. Traditional Security solutions are logically valuable, but need to adopt with new environment 1. Adopt new programable tools, which Developers really use, Security team role is advisory and enablers
  • 16. Maturity Assessment #GISEC 2020 @FintoNT 16 https://www.slideshare.net/derweeksglobal/abn-amro-devsecops-journey 1. OWASP 2. ABN AMRO Model (level 5) https://owasp.org/www-project-devsecops-maturity-model/
  • 17. Key Takeaways Technology and Tools Process and Methodologies People and Skills #GISEC 2020 @FintoNT 17 DevSecOps = New Culture + New Skills + Automation Bake in Security into DevOps flow, do not try to bolt security later Security control must be programable and automated wherever possible Keep an eye on simpler and better programable options Use tools and methods that developer team actually use Adopt Agile and lean methods Involve security as early as possible in the workflow and best to do at design & planning phase Fix by priorities, do not attempt to fix it all DevSecOps feedback process must be smooth and governed Metric and KPI needs to relevant and easy to generate Build personal relations and trust Break silos; do not isolate Identify and nurture “security champions” in each team Focus on problem and solution; Do not blame the person or team Conduct short and repeatable training sessions and training videos
  • 18. External Documents referred • https://www.blackhat.com/docs/us-17/thursday/us-17-Lackey-Practical%20Tips-for-Defending-Web-Applications-in-the-Age- of-DevOps.pdf • https://dzone.com/articles/effective-devsecops • https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Shrivastava-DevSecOps.pdf • https://www.sonatype.com/hubfs/2018%20State%20of%20the%20Software%20Supply%20Chain%20Report.pdf • https://www.veracode.com/state-of-software-security-report#snap__subnav_51096 • https://docs.aws.amazon.com/whitepapers/latest/introduction-devops-aws/two-pizza-teams.html • https://www.infoq.com/presentations/devsecops-2019/ • https://owasp.org/www-project-devsecops-maturity-model/ #GISEC 2020 @FintoNT 18

Hinweis der Redaktion

  1. Color change
  2. https://dzone.com/articles/effective-devsecops