Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 16 Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie DevSecOps OWASP (20)

Anzeige

Aktuellste (20)

DevSecOps OWASP

  1. 1. DevSecOps at Scale Priyanka Raghavan
  2. 2. About me • Security Architect at Maersk • MS in Software Engg from CMU • Over 15 years of Software Development experience playing roles as Developer, Team Lead, Product Architect and Security Architect • Proud mother of two boys • Love learning and Open source. • Generally suspicious of everything • @Priyankarags on twitter
  3. 3. Priyanka Raghavan Agenda Motivation State of system vs Target state DevSecops in practice Challenges Conclusions 3
  4. 4. Motivations 4 Secure by Design/Agile Software Architecture . Moving security to the left (earlier in product development) Get continuous feedback/ iterative development Security is shared responsibility. It’s owned by product team and also security organization.
  5. 5. State of System • Not many teams define Security Requirements in backlog • Security not built into Design • Security moved to the end (Pen testing/working off checklist) • Pockets of excellence with teams using their own tools for secure development • Perceived lack of community support groups to help with secure development. Teams perceive security as “hard to do”. • 16 agile teams, 71 pipelines, different technology stacks, microservices architecture, 4 months to code freeze and 1 security Architect • No existing tools used for security testing Target State Priyanka Raghavan 5 • Security Requirements in placed in Azure DevOps • “Secure by Design” is not a mantra but followed by doing threat modeling as group exercise • Security moved to the left/ starts earlier. • Build security into Devops • Use tools that are easy to adopt and scale • Shared responsibility • Security not a burden and easy to adopt. Build culture around security • Logs are sent to SOC for monitoring
  6. 6. DevSecOps in practice- Where did I start? • OWASP resources to start • OWASP top 10 • OWASP cheat sheet • OWASP security headers education https://owasp.org/www- project-secure-headers/ • ZAP, Sonar with Security profile • Open source tooling(Vandana’s talk https://www.youtube.com/watch?v=cD3-1rb_HNM) • https://www.redhat.com/en/topics/devops/what-is-devsecops
  7. 7. DevSecOps in practice- Where did I start? • Created a wiki and started exercise of educating teams • Joined a security champions forum • Prototype of running open source security tooling in Jenkins, argo and Azure DevOps
  8. 8. DevSecOps in practice Collect Security Requirements (Tags in ADO) Threat Modeling (Owasp Threat Dragon, Microsoft threat modeling, whiteboard) SAST (Static Application Security Testing- SonarQube with Security Profile) DAST (Dynamic Application Security Testing- ZAP) Third party open source monitoring/ Container scanning( whitesource/twistlock and Azure standard security monitoring) Mandatory http security header checking(HSTS, Content security policy, XSS, Xframe option, Xcontent no-sniff) SSL site certificate checker (Qualys SSL labs) Logging and monitoring (Send ASC logs to SOC, Datadog) Penetration testing (Manual testing) Priyanka Raghavan 8
  9. 9. DevSecOps in Practice • Get integrated with teams and participate in Architectural discussions • Security during design whiteboarding • 7 out of 10 steps can be automated in pipeline • Build DevSecOps template and store it in repos Priyanka Raghavan 9
  10. 10. DevSecOps in Practice • Knowledge share with security warriors • Create confluence wiki to share information • Compliance through dashboards • Tips and Tricks to solve vulnerabilities. • Create Squads to help teams learn from each other • Keep pushing security agenda with upper management • Training for Developers and Agile teams Priyanka Raghavan 10
  11. 11. DevSecOps in Practice Priyanka Raghavan 11
  12. 12. Priyanka Raghavan 12 DevSecOps in Practice • Breaking the build • Issues in the pipeline reported on Azure DevOps
  13. 13. Priyanka Raghavan 13 • Track Security requirements and work items in Azure DevOps DevSecOps in Practice
  14. 14. Challenges so far.. Getting a seat at the table on Design discussions Getting time for ”Security debt” in the backlog Aligning teams to discuss technology stacks and versions (Third party vulnerabilities) Using same version of .Net, Java, Reactjs Finding volunteers to fix bugs and share knowledge with teams Follow same pattern for Authentication and Authorization across APIs (How to generate JWT tokens for easy testing) Reducing build wait times on agents. (Scheduling chron jobs) Monitoring alerts from Cloud providers Configuring DAST(ZAP) across projects for different needs, different authentication methods
  15. 15. Lessons Learnt 15 Process Engineering Enablement Security Operations Non-functional squad to drive agenda Exchange of knowledge and resources to scale and adopt process. Security Debt is seen as important item Security Templates to enable CI/CD. Build examples of how to use popular tools and benefits Facilitate discussions between architects and teams. Make friends with Developers Dashboards to monitor progress Monitor alerts on non-prod and prod. Audit logging for forensics Good communication between SOC and teams
  16. 16. Thanks!

×