Más contenido relacionado


Dev secops indonesia-devsecops as a service-Amien Harisen

  1. DevSecOpsIndonesia Integrating SEC to DevOps, with less time, money and energy DevSecOps as a Service
  2. ABOUT ME Amien Harisen – CEO & Founder of Tjakrabirawa Teknologi Indonesia 10+ yrs experience DevSecOps enthusiast Cybersecurity enthusiast MMR Hunter Put your photo here DevSecOpsIndonesia
  3. DevSecOpsIndonesia What is DevSecOps & Why ? What is DevSecOps? Basically, DevSecOps is DevOps with security built-in, right from the start. It means building security into requirements, into design, into code, and into deployment, logging, and monitoring — in short, into your entire DevOps supply chain. Why DevSecOps? DevsecOps practices helps to stay competitive and helps us develop and deploy securely from day one. This proactive approach helps mitigate security issues and keeps things in “order” —instead of firefighting
  4. DevSecOpsIndonesia How to Implement DevSecOps ;TLDR version Shift Left Mantra Shifting the focus of security to the left in the development cycle essentially means that identifying vulnerabilities should be an integral part of the development process from the beginning.. Shared Responsibility If it’s a shared responsibility, then it requires a shared knowledge of what and how to watch and implement. To be able to move left in the cycle with this shared knowledge, pipeline phases and gates need to be incorporated. There are many variations? Passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour, or randomised words which don't look even slightly believable. If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle of text. All the Lorem Ipsum generators on the Internet tend to repeat predefined chunks as necessary, making this the first true generator on the Internet. It uses a dictionary of over 200 Latin words, combined with a handful of model sentence structures, to generate Lorem Ipsum which looks reasonable. The generated Lorem Ipsum is therefore always free from repetition, injected humour, or non-characteristic words etc
  5. DevSecOpsIndonesia How to Implement DevSecOps ;Sumo Logic Approach DevSecOps is a complex system requiring the right combination of expertise and partnerships Stress Security at Every Level • Also known as ‘left-shifting security’ for how it moves accountability in the continuous delivery pipeline, this approach empowers individual team members to address potential vulnerabilities before code passes to the next stage. If a delivered project is a package of individual pieces, incorporating security at every level is the equivalent of “bubble wrapping” each item before bundling them for shipment, resulting in safer delivery. Perform a Thorough Security Needs Assessment • Combining internal resources and expert partners where needed, develop a complete picture of operating conditions and vulnerabilities. Equipped with current audits and reports outlining strengths and weaknesses, stakeholders can build the approach that meets their specific challenges. Make Security Changes at the Code Level • Older delivery pipelines often addresses network vulnerabilities with third-party programs, protective information management policies, and other reactive measures. Build a DevSecOps approach that builds protective security armor into the code itself, and you’ll see the need for a reactive patchwork of measures to protect entire applications can be reduced or eliminated. Automate Whenever Possible • One of the most time-consuming aspects of dated delivery models was testing and correcting code before shifting it rightward down the pipeline. DevSecOps leverages tools to automate most of this process, performing it almost instantaneously so delivery isn’t bogged in the human testing that would be required to ensure the same level of security. Use Dashboards and Alerts for Continuous Monitoring • There are too many interactions taking places in a DevSecOps environment to decipher without a unified approach for monitoring and fine tuning operations. By developing desired baseline and alert levels, IT teams can interact in real-time and automate common responses to conditions or threats.
  6. DevSecOpsIndonesia How to Implement DevSecOps ;Synopsis Approach Finding your way to DevSecOps • Embracing a DevSecOps practice requires key cultural and practical changes to integrate security into all stages of the SDLC, including the following: • Integrating security into defect tracking and postmortems • Integrating security controls into shared source code repositories and services • Integrating security into your deployment pipeline • Ensuring the security of the application • Ensuring the security of the software supply chain Automate your critical processes • Finding the right tools for your environment is an important step—you need tools that fit into your CI/CD workflows and run automatically. Not only that, but you need these tools to notify the right people when there’s an issue, educate them about it, and provide guidance on how to remediate it. And you can’t do that just once—you must test early in the development life cycle (often referred to as “shifting left”), during integration and testing, and on through installation, deployment, and maintenance. There’s no way to ensure the ongoing security of an application after it’s in production; you must continue to test in production and remediate any new security issues. Empower your teams • Security tools and automation alone can’t secure your applications. Invest in your teams and empower them to build a true DevSecOps culture by making software security training a priority and ensuring that the training is relevant to your employees’ roles and projects. Perhaps most important—remember that DevOps isn’t a title change. It’s a true change to the culture at your company. It takes time, training, tools, and the desire to embrace the culture of DevOps. Integrating security into the daily work of your DevOps teams may be time-consuming, but it’s time well spent. Your development, operations, and security teams will work together collaboratively to improve the quality and security of the software you deliver, leading to faster software delivery and, ultimately, happier customers.
  8. DevSecOpsIndonesia DevSecOps Challenge • Dev / Ops / Sec Ratio 100 / 10 / 1 • Expensive Capital Expenditure Train the developers (for how many hours) Train the operations (for how many hours) Hire security champions (for how many hours) Hardware & Software purchasing (at what scale) • Time consuming In x time is when the number of y DevOps teams aware and can shared the security responsibility. Not every company share the same culture, thus the same DevSecOps approach cannot cannot be applied to the all company.
  9. DevSecOpsIndonesia Proposed Solution – DevSecOps as a Service
  10. DevSecOpsIndonesia DevSecOps as a Service Benefit • Segregation of Responsibility Put the DevOps team to focus on the production and the Security team within the pipeline. • Converting from Capital Expenditure to Operational Expenditure DevSecOps can be more accessible by larger and diverse company with all kind of size. • LESS Time consuming Apply the DevSecOps adoption self assessment (or hire a DevSecOps consultant) e.g • Freedom of Implementation Method Internal implementation / External Implementation
  11. DevSecOpsIndonesia Sample of Implementation
  12. DevSecOpsIndonesia Question & Answers
  13. DevSecOpsIndonesia “Agile can be fragile if you not handle it well”