Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
2. The Talk
Dev{Sec}Ops - Automation can be Security Friendly
Keeping security top of mind while creating standards for engineering teams following the DevOps
culture. This talk was designed to show off how easily it is to automate security scanning and to be
the developer advocate by showing the quality of development work. We will cover some high-level
topics of DevSecOps and demo some examples DevOps team can implement for free.
3. Dev – Ops Culture
DevOps
DevSecOps
SecDevOps
DevSecAuditOps
Security Team’s Problems
That security guy
5. Steven
Carlson
Software Engineer who is passionate
about clean secure code.
https://rockrunner007.github.io/
The guy on the far right… people do
odd things when they ride a bicycle
for 7 straight days… #RAGBRAI2019
9. The Policy
A Secure Software Development Life Cycle Policy
or SDL
This process requires that an applications be
designed, developed, and maintained to protect
the integrity of all application functions as well
as sensitive data collected in association with
the application.
10. Secure Phase Guidance
Find it early. Fix it early.
Implement a proactive approach to discover and mitigate security issues in the early stages of SDL
thereby significantly reducing the cost of fixing the post-production vulnerabilities.
Avoid replicating vulnerabilities
Vulnerabilities get copied and replicated across the code base, it magnifies risk in individual projects
and possibly across multiple projects. Then it becomes a big development effort to clean up those
vulnerabilities.
Learn from constant feedback
Constant feedback and successful collaboration between developers and security team will reduce
the risk factor throughout SDL.
12. General Guidance
Code analysis
Embed automatic software vulnerabilities detection tools such as Checkmarx into your DevOps pipelines.
Change management
Increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad.
Compliance monitoring
Automate compliance and be ready for an audit at any time (which means being in a constant state of compliance, including
gathering evidence of GDPR compliance, PCI compliance, etc.).
Threat investigation
Identify potential emerging threats with each code update and be able to respond quickly.
Vulnerability assessment
Identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched.
Security training
Train software and IT engineers with guidelines for set routines.
13. Threat Modeling
What are we building?
What can go wrong?
What are we going do about it?
How well are we doing?
17. Open Source Scanning
Security Risk due to known vulnerabilities
with packages or package dependencies
License Compliance checking for known
license and comparing to company policy
25. Security Champion
Enable engineers to leverage the SDL
Point person for application security
questions
Partnership on scanning configuration
Partnership on product development
30. Exam | Audit Time
History of all scan per product
Policies each scan is configured with
Listing of user’s access and permissions
Track of remediation
35. Steven
Carlson
Software Engineer who is passionate
about clean secure code.
https://rockrunner007.github.io/
The guy on the far right… people do
odd things when they ride a bicycle
for 7 straight days… #RAGBRAI2019