Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.

1. Dev{Sec}Ops
AUTOMATION CAN BE SECURITY FRIENDLY

2. The Talk
Dev{Sec}Ops - Automation can be Security Friendly
Keeping security top of mind while creating standards for engineering teams following the DevOps
culture. This talk was designed to show off how easily it is to automate security scanning and to be
the developer advocate by showing the quality of development work. We will cover some high-level
topics of DevSecOps and demo some examples DevOps team can implement for free.

3. Dev – Ops Culture
DevOps
DevSecOps
SecDevOps
DevSecAuditOps
Security Team’s Problems
That security guy

4. Shift Left …?
How about “Extend Left and Right”?

5. Steven
Carlson
Software Engineer who is passionate
about clean secure code.
https://rockrunner007.github.io/
The guy on the far right… people do
odd things when they ride a bicycle
for 7 straight days… #RAGBRAI2019

6. The Stage
HIGHLY REGULATED INDUSTRY OR NOT?!

7. Choose Policy and/or Goal
GDPR
SOC 1 | 2 | 3
PCI
NIST

8. COVID-19
Reliable
Easy to use
Secure
Feature Rich
Efficient

9. The Policy
A Secure Software Development Life Cycle Policy
or SDL
This process requires that an applications be
designed, developed, and maintained to protect
the integrity of all application functions as well
as sensitive data collected in association with
the application.

10. Secure Phase Guidance
Find it early. Fix it early.
Implement a proactive approach to discover and mitigate security issues in the early stages of SDL
thereby significantly reducing the cost of fixing the post-production vulnerabilities.
Avoid replicating vulnerabilities
Vulnerabilities get copied and replicated across the code base, it magnifies risk in individual projects
and possibly across multiple projects. Then it becomes a big development effort to clean up those
vulnerabilities.
Learn from constant feedback
Constant feedback and successful collaboration between developers and security team will reduce
the risk factor throughout SDL.

11. The Program
SCANNING + PRODUCT REVIEW + ACCESS MANAGEMENT = SDL

12. General Guidance
Code analysis
Embed automatic software vulnerabilities detection tools such as Checkmarx into your DevOps pipelines.
Change management
Increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad.
Compliance monitoring
Automate compliance and be ready for an audit at any time (which means being in a constant state of compliance, including
gathering evidence of GDPR compliance, PCI compliance, etc.).
Threat investigation
Identify potential emerging threats with each code update and be able to respond quickly.
Vulnerability assessment
Identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched.
Security training
Train software and IT engineers with guidelines for set routines.

13. Threat Modeling
What are we building?
What can go wrong?
What are we going do about it?
How well are we doing?

14. Threat Dragon
Resource: https://owasp.org/www-project-
threat-dragon/
Example:
https://github.com/RockRunner007/Security-
Programs

15. Source Code Scanning
Reviewing the source for a product
Password Search
Bad patterns
Known framework issues

16. Checkmarx
Resource: https://www.checkmarx.com/
Example:
https://github.com/RockRunner007/SAST_Aut
omation

17. Open Source Scanning
Security Risk due to known vulnerabilities
with packages or package dependencies
License Compliance checking for known
license and comparing to company policy

18. jFrog Xray
Resource: https://jfrog.com/xray
Example:
https://github.com/RockRunner007/SCA_Aut
omation

19. Secrets Management
Passwords
API Keys
Hashing Salt + Vector + Work Factor
SSL Cert

20. Security for Bitbucket
Resource:
https://marketplace.atlassian.com/apps/1221
399/security-for-
bitbucket?hosting=server&tab=overview
Example:
https://github.com/RockRunner007/SM_Auto
mation

21. Deployed Application Scanning
Crawl a deployed application
Use an authenticated user
Scheduled scans

22. Rapid 7 Insight Appsec
Resource:
https://www.rapid7.com/products/insightapp
sec/
Example:
https://github.com/RockRunner007/DAST_Au
tomation

23. Product Score Card
Measure product security stance
Measure development readiness
Communicate leadership and SDL
expectation

24. Product Review Program
Resource: Q2 DevSecOps Team
Example:
https://github.com/RockRunner007/Security-
Programs

25. Security Champion
Enable engineers to leverage the SDL
Point person for application security
questions
Partnership on scanning configuration
Partnership on product development

26. Security Champion Playbook
Resource: https://github.com/c0rdis/security-
champions-playbook
Example:
https://github.com/RockRunner007/Security-
Programs

27. The Opera
OPERATION … SEE WHAT I DID THERE?!

28. All Together Now

29. Dashboard
Data from security program
Break it down per product
Results from before SDL and now

30. Exam | Audit Time
History of all scan per product
Policies each scan is configured with
Listing of user’s access and permissions
Track of remediation

31. Customer
Penetration
Test

32. Shift Left …?
How about “Extend Left and Right”?

33. Easy as 1 2 3 …?

34. Feedback?
QUESTIONS?!

35. Steven
Carlson
Software Engineer who is passionate
about clean secure code.
https://rockrunner007.github.io/
The guy on the far right… people do
odd things when they ride a bicycle
for 7 straight days… #RAGBRAI2019