SlideShare ist ein Scribd-Unternehmen logo

How to Get Started with DevSecOps

CYBRIC
CYBRIC

"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io

Technologie
1 von 27
SESSION TITLE GOES HERE Second Line Goes Here #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Speaker Name Speaker Title Company Name Speaker Name Speaker Title Company Name How to Get Started with DevSecOps #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Andrei Bezdedeanu VP of Engineering
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Waterfall vs. Agile Conception Initiation Analysis Design Development Testing Deployment Development Testing DeploymentRefining Planning Conception
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan Agile Manifesto
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. Development Operations QA DevOps
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Challengers and Enablers to DevOps Challengers • Organizational structure • Lack of understanding • Goals misalignment • Personal egos • Technical incompetency • Corporate politics Enablers • Executive support • Leading by example • Champions • Automation, automation, automation • Technical competency • Early success
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Components of a Successful DevOps Strategy • Continuous Integration • Continuous Delivery • Microservices • Infrastructure as Code • Monitoring and Logging • Communication and Collaboration • Shared Accountability
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Benefits of DevOps • Collaboration – alignment between development and operations teams; handoff friction is reduced; common goals and objectives • Fluid responsiveness – real-time feedback and greater efficiency; changes and improvements can be implemented more quickly • Shorter cycle time – efficiency and communication between teams shortens cycle time; new code can be released more rapidly • Better quality – bugs are discovered and fixed more quickly, goal of every Agile sprint is to deliver working, quality software
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM DevOps vs SecOps • DevOps does not mean more secure applications! • Growing chasm between DevOps and SecOps • Security testing too late in the application delivery cycle • Testing done by SecOps team not familiar with the code base • Security not often part of initial design • No threat modeling • Fixing vulnerabilities in conflict with sprint goals • Increased frustration for both teams • Finger pointing
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM DevSecOps • A bridge between fast and secure software development • A cross-functional team composed of Development, Operations, Security and QA • United security and engineering culture • Security at the speed of DevOps, leveraging automation to fullest extent • Making Security an integral part of application design
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Keys to a Successful DevSecOps Transformation • Insert security into the DevOps culture • Break down the “walls” • Design with security in mind • Embed security throughout SDLC • Empower developers with appropriate security tools • Treat everything as code • Manage security posture after deployment • Include Development and Operations in incident response Development Operations QA Security
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Challengers and Enablers to DevSecOps Challengers • Organizational structure • Developers lack knowledge of security tools & practices • Security engineers lack understanding of development Enablers • Executive support • CI/CD • Infrastructure as code • Education
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM “Shift Left” • Empower development team with tools, process and best practices • Security checks in the IDE • Scan code on commit • Scan output of build process • Scan container images built • Scan applications deployed to non-production environments • Scan applications in production • Scan infrastructure and network • Check cloud and network configurations
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Automation and Orchestration • A proper DevSecOps strategy has little room for manual testing and scanning • Functional testing and Penetration testing can still happen, but… • Automate all scans that can be automated • Orchestrate the process by integrating into code repositories, build and deployment pipelines
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM What Scanning Tools Do We Use? Static App Security Testing (SAST) Analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. Software Composition Analysis (SCA) Identify risks from open source libraries and commonly used frameworks, covering both known security vulnerabilities and license risk. Dynamic App Security Testing (DAST) Detect conditions indicative of a security vulnerability in an application in its running state (outside-in) Interactive App Security Testing (IAST) Analyze application behavior in the testing phase by instrumenting the runtime engine to get insight into the application’s logic flow, data flow and configuration. Monitor test attacks initiated by a DAST attack inducer, and then report on the attacks that resulted (or might result) in an application’s exploit.
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM From Code Commit to Deployment [Code Repository] CodeScan(SAST/SCA) Build BinaryScan(SAST/SCA) Stage Deploy Production Deploy App.Scan(DAST) App.Scan(DAST) Network/HostScan Network/HostScan Code Commit Security Tools (SAST, SCA, IAST & DAST) [Build Process] [Staging] [Production]
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Containerization & Cloud Transformation • Integrating security into continuous delivery can be challenging • Developers and IT ops are rarely trained in security • Security teams don’t necessarily know how to code or administer servers • For DevSecOps to work, everyone involved in continuous delivery needs to speak the same language and work with the same environment • Infrastructure as code provides a common framework • Containers are the key to achieving automated, predictable security operations • Container security is a fast maturing space (NIST 800-190)
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Data Aggregation & Single Pane of Glass Security scanning tools provide rich set of vulnerability data • Normalize data into a single format • Consolidate into single issues of the same type • Deduplicate across tools with overlapping coverage • Allow users to override based on what they know • Correlate Static and Dynamic issues • Prioritize exploitable vulnerabilities • Minimize exposure and risk • Remediate quickly
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM How fast, How bad, How expensive? The three questions most asked: 1. How fast can we find out if/when we have a problem? 2. How bad is it (what is the risk)? 3. What is it going to take to fix it?
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Detection & Remediation Metrics Internal Rate of Detection (IRD) • The time it takes to find vulnerabilities • Usually measured as the time between last scan and the first scan that identified a new issue • Measures the risk of having a vulnerability and not knowing about it • More frequent scanning = lower IRD Internal Rate of Remediation (IRR) • The time it takes to fix vulnerabilities • Usually measured as time between detection and remediation • Measures effectiveness of fixing vulnerabilities once found • Addressing issues immediately = lower IRR
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Defect Metrics Severity • Degree of impact a vulnerability has on the development or operation of a component or application being tested • The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of security vulnerabilities • CVSS indicates ease and impact of exploit Confidence Level • Level of confidence in the existence of the vulnerability and also the credibility of the technical details of the vulnerability Defect Density • Number of defects (vulnerabilities, bugs) per thousands of lines of code
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Cost of Remediation Multi-variable calculation without a common standard/definition Variables that can influence cost of remediation: • IRD & IRR • Severity • Confidence Level • Correlation & Exploitability
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Application & Enterprise Risk Various risk estimation frameworks available… OWASP Risk Rating Methodology Risk = Likelihood * Impact Likelihood Factors • Threat Agent Factors (skill, motive, opportunity, size) • Vulnerability Factors (ease of discovery, ease of exploit, awareness, intrusion detection) Impact Factors • Business (financial damage, reputational damage, non-compliance, privacy violation) • Technical (loss of confidentiality, integrity, availability, accountability)
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Incident Response & Management DevSecOps is a good idea… Early vulnerability detection and proper hygiene are good ideas… But breaches will happen!!! Efficient Incident Response is key when that occurs…
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Agile and DevSecOps to the rescue • DevSecOps provides a shared accountability culture • Use information collected prior to the breach in development, testing and production • Use available correlations to efficiently find problems in code and fix them • Use existing automation framework to provide attestation of any fix • Plan remediations and patching immediately or plan as part of next sprint
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM The journey starts where you are today There are no prerequisites for DevSecOps • You can start with code security (start left) • You can start with dynamic application scanning (start right) • You can start ensuring that open source component risks are minimal • You can start by just scanning container images for known vulnerabilities, or… • You can put in place an end-to-end comprehensive strategy Either way, DevSecOps can enable and accelerate the journey
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM No Excuses!!! We are not ready We don’t have any scanning tools We don’t have resources We don’t have time Security is important, but not a priority We don’t have any vulnerabilities We are not mature enough We don’t have CI/CD We are not DevOps
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Email: andrei@cybric.io LinkedIn: @andreibezdedeanu Twitter: @abezdedeanu

Empfohlen

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 

Empfohlen

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
Edureka!
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
Opsta
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
CI/CD (DevOps) 101
CI/CD (DevOps) 101CI/CD (DevOps) 101
CI/CD (DevOps) 101
Hazzim Anaya
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 

Weitere ähnliche Inhalte

Was ist angesagt?

CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
DevOps.com
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 

Was ist angesagt? (20)

DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
CI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps JourneyCI/CD Best Practices for Your DevOps Journey
CI/CD Best Practices for Your DevOps Journey
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
CI/CD (DevOps) 101
CI/CD (DevOps) 101CI/CD (DevOps) 101
CI/CD (DevOps) 101
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 

Ähnlich wie How to Get Started with DevSecOps

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
Nadira Bajrei
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Amazon Web Services
 

Ähnlich wie How to Get Started with DevSecOps (20)

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital LandscapeDevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital Landscape
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside Out
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 

Kürzlich hochgeladen

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

How to Get Started with DevSecOps

  • 1. SESSION TITLE GOES HERE Second Line Goes Here #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Speaker Name Speaker Title Company Name Speaker Name Speaker Title Company Name How to Get Started with DevSecOps #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Andrei Bezdedeanu VP of Engineering
  • 2. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Waterfall vs. Agile Conception Initiation Analysis Design Development Testing Deployment Development Testing DeploymentRefining Planning Conception
  • 3. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan Agile Manifesto
  • 4. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. Development Operations QA DevOps
  • 5. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Challengers and Enablers to DevOps Challengers • Organizational structure • Lack of understanding • Goals misalignment • Personal egos • Technical incompetency • Corporate politics Enablers • Executive support • Leading by example • Champions • Automation, automation, automation • Technical competency • Early success
  • 6. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Components of a Successful DevOps Strategy • Continuous Integration • Continuous Delivery • Microservices • Infrastructure as Code • Monitoring and Logging • Communication and Collaboration • Shared Accountability
  • 7. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Benefits of DevOps • Collaboration – alignment between development and operations teams; handoff friction is reduced; common goals and objectives • Fluid responsiveness – real-time feedback and greater efficiency; changes and improvements can be implemented more quickly • Shorter cycle time – efficiency and communication between teams shortens cycle time; new code can be released more rapidly • Better quality – bugs are discovered and fixed more quickly, goal of every Agile sprint is to deliver working, quality software
  • 8. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM DevOps vs SecOps • DevOps does not mean more secure applications! • Growing chasm between DevOps and SecOps • Security testing too late in the application delivery cycle • Testing done by SecOps team not familiar with the code base • Security not often part of initial design • No threat modeling • Fixing vulnerabilities in conflict with sprint goals • Increased frustration for both teams • Finger pointing
  • 9. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM DevSecOps • A bridge between fast and secure software development • A cross-functional team composed of Development, Operations, Security and QA • United security and engineering culture • Security at the speed of DevOps, leveraging automation to fullest extent • Making Security an integral part of application design
  • 10. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Keys to a Successful DevSecOps Transformation • Insert security into the DevOps culture • Break down the “walls” • Design with security in mind • Embed security throughout SDLC • Empower developers with appropriate security tools • Treat everything as code • Manage security posture after deployment • Include Development and Operations in incident response Development Operations QA Security
  • 11. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Challengers and Enablers to DevSecOps Challengers • Organizational structure • Developers lack knowledge of security tools & practices • Security engineers lack understanding of development Enablers • Executive support • CI/CD • Infrastructure as code • Education
  • 12. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM “Shift Left” • Empower development team with tools, process and best practices • Security checks in the IDE • Scan code on commit • Scan output of build process • Scan container images built • Scan applications deployed to non-production environments • Scan applications in production • Scan infrastructure and network • Check cloud and network configurations
  • 13. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Automation and Orchestration • A proper DevSecOps strategy has little room for manual testing and scanning • Functional testing and Penetration testing can still happen, but… • Automate all scans that can be automated • Orchestrate the process by integrating into code repositories, build and deployment pipelines
  • 14. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM What Scanning Tools Do We Use? Static App Security Testing (SAST) Analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. Software Composition Analysis (SCA) Identify risks from open source libraries and commonly used frameworks, covering both known security vulnerabilities and license risk. Dynamic App Security Testing (DAST) Detect conditions indicative of a security vulnerability in an application in its running state (outside-in) Interactive App Security Testing (IAST) Analyze application behavior in the testing phase by instrumenting the runtime engine to get insight into the application’s logic flow, data flow and configuration. Monitor test attacks initiated by a DAST attack inducer, and then report on the attacks that resulted (or might result) in an application’s exploit.
  • 15. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM From Code Commit to Deployment [Code Repository] CodeScan(SAST/SCA) Build BinaryScan(SAST/SCA) Stage Deploy Production Deploy App.Scan(DAST) App.Scan(DAST) Network/HostScan Network/HostScan Code Commit Security Tools (SAST, SCA, IAST & DAST) [Build Process] [Staging] [Production]
  • 16. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Containerization & Cloud Transformation • Integrating security into continuous delivery can be challenging • Developers and IT ops are rarely trained in security • Security teams don’t necessarily know how to code or administer servers • For DevSecOps to work, everyone involved in continuous delivery needs to speak the same language and work with the same environment • Infrastructure as code provides a common framework • Containers are the key to achieving automated, predictable security operations • Container security is a fast maturing space (NIST 800-190)
  • 17. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Data Aggregation & Single Pane of Glass Security scanning tools provide rich set of vulnerability data • Normalize data into a single format • Consolidate into single issues of the same type • Deduplicate across tools with overlapping coverage • Allow users to override based on what they know • Correlate Static and Dynamic issues • Prioritize exploitable vulnerabilities • Minimize exposure and risk • Remediate quickly
  • 18. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM How fast, How bad, How expensive? The three questions most asked: 1. How fast can we find out if/when we have a problem? 2. How bad is it (what is the risk)? 3. What is it going to take to fix it?
  • 19. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Detection & Remediation Metrics Internal Rate of Detection (IRD) • The time it takes to find vulnerabilities • Usually measured as the time between last scan and the first scan that identified a new issue • Measures the risk of having a vulnerability and not knowing about it • More frequent scanning = lower IRD Internal Rate of Remediation (IRR) • The time it takes to fix vulnerabilities • Usually measured as time between detection and remediation • Measures effectiveness of fixing vulnerabilities once found • Addressing issues immediately = lower IRR
  • 20. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Defect Metrics Severity • Degree of impact a vulnerability has on the development or operation of a component or application being tested • The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of security vulnerabilities • CVSS indicates ease and impact of exploit Confidence Level • Level of confidence in the existence of the vulnerability and also the credibility of the technical details of the vulnerability Defect Density • Number of defects (vulnerabilities, bugs) per thousands of lines of code
  • 21. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Cost of Remediation Multi-variable calculation without a common standard/definition Variables that can influence cost of remediation: • IRD & IRR • Severity • Confidence Level • Correlation & Exploitability
  • 22. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Application & Enterprise Risk Various risk estimation frameworks available… OWASP Risk Rating Methodology Risk = Likelihood * Impact Likelihood Factors • Threat Agent Factors (skill, motive, opportunity, size) • Vulnerability Factors (ease of discovery, ease of exploit, awareness, intrusion detection) Impact Factors • Business (financial damage, reputational damage, non-compliance, privacy violation) • Technical (loss of confidentiality, integrity, availability, accountability)
  • 23. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Incident Response & Management DevSecOps is a good idea… Early vulnerability detection and proper hygiene are good ideas… But breaches will happen!!! Efficient Incident Response is key when that occurs…
  • 24. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Agile and DevSecOps to the rescue • DevSecOps provides a shared accountability culture • Use information collected prior to the breach in development, testing and production • Use available correlations to efficiently find problems in code and fix them • Use existing automation framework to provide attestation of any fix • Plan remediations and patching immediately or plan as part of next sprint
  • 25. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM The journey starts where you are today There are no prerequisites for DevSecOps • You can start with code security (start left) • You can start with dynamic application scanning (start right) • You can start ensuring that open source component risks are minimal • You can start by just scanning container images for known vulnerabilities, or… • You can put in place an end-to-end comprehensive strategy Either way, DevSecOps can enable and accelerate the journey
  • 26. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM No Excuses!!! We are not ready We don’t have any scanning tools We don’t have resources We don’t have time Security is important, but not a priority We don’t have any vulnerabilities We are not mature enough We don’t have CI/CD We are not DevOps
  • 27. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Email: andrei@cybric.io LinkedIn: @andreibezdedeanu Twitter: @abezdedeanu

Hinweis der Redaktion

  1. d