Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Talk DevSecOps to me

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
Dev secops. Real experience.
Dev secops. Real experience.
Wird geladen in …3
×

Hier ansehen

1 von 41 Anzeige

Talk DevSecOps to me

Herunterladen, um offline zu lesen

This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team journey's from endpoint security to built-in security and how to avoid the common mistakes faced when implementing your chosen DevSecOps strategy.

This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team journey's from endpoint security to built-in security and how to avoid the common mistakes faced when implementing your chosen DevSecOps strategy.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Talk DevSecOps to me (20)

Anzeige

Aktuellste (20)

Talk DevSecOps to me

  1. 1. Talk DevSecOps to me: An Introduction
  2. 2. Michelle Ribeiro ★ CEO @ SPIRITSEC ★ InfoSec & Open Source Pro since 1999 ★ DevOpsDays, LPI, Debian Project ★ Debian Security Manual & Debconf em 2004 (Ubuntu launching site) Innovation 90% Tech 85% GovTech 83% Travel 65%
  3. 3. Michelle Ribeiro ★ Bsc International Relations @ LSE ★ MA Diplomacy & International Studies @ UoL - Chevening Scholarship ★ Innovation Strategy @ MIT
  4. 4. 1. What is DevSecOps?
  5. 5. https://www.infoq.com/presentations/devsecops-2019/
  6. 6. The 3 Faces of DevOps DevOps: 1. DevOps Culture 2. DevOps Methodologies 3. DevOps Tools
  7. 7. The 3 Faces of DevSecOps DevSecOps: 1. Introduce Security into DevOps Culture 2. Secure DevOps Methodologies 3. Secure DevOps Tools
  8. 8. Waterfall Security ★ Infosec as gatekeepers; ★ Security audits only after deploy; ★ Too much time & money. DevOps & (Reactive) Security ★ Innovation bottleneck ★ WAF anyone? Michelle Ribeiro
  9. 9. Automated threads require automated responses 58% of web traffic comes from humans Bad bots alone account for almost 22% of all web traffic today. This number is only expected to increase.
  10. 10. Proactive Security ★ Built-in security ★ Decentralized and automated vulnerability assessments ★ Rapid feedback ★ Empower your Dev & Ops teams to make security assessments Michelle Ribeiro
  11. 11. 2. Introduce Security into DevOps Culture
  12. 12. Shift Left ★ “You build, you secure it” (Willis, John) ★ Introduce security scans into the developer’s workflow enabling them to find and fix vulnerabilities before the code ever leaves their hands. assureing constant feedback, ★ Different layers of security - cost & + innovation
  13. 13. Michelle Ribeiro
  14. 14. Shared Ownership ★ DevOps team: 100 DEV, 10 OPS & 1 SEC ★ Security development practices ★ Shared security library ★ Container images ★ Use DevOps tools to manage security issues and events. ★ Agile Postmortem
  15. 15. Get Onboard with the Programme ★ DevSecOps # Security as Code ★ Security as Code: automation with Ansible, Chef ★ Learn to code & use Git ★ Deep dive into the DevOps culture ★ Especial attention to CI/CD & continuous feedback
  16. 16. 3. Secure DevOps Methodologies
  17. 17. DevOps Methodologies ★ Microservices, APIs, CI/CD, etc, etc, etc… ★ No Devops environment is equal to another ★ Cloud Native Security’s 4Cs: 1. Code 2. Container 3. Cluster 4. Cloud
  18. 18. Michelle Ribeiro
  19. 19. Code - Pre build ★ SAST (Static Application Security Testing) ★ Code inspection for coding vulnerabilities, backdoors and malwares ★ Brakeman Michelle Ribeiro
  20. 20. Code - Pre build ● Dependency security check - scan all dependencies of binaries and executables and ensure that these dependencies, over which we often have no control, are free from vulnerabilities or malicious binaries Michelle Ribeiro
  21. 21. Code - After Deploy ● DAST - Dynamic application security testing ● A black-box security testing methodology in which an application is tested from the outside Michelle Ribeiro
  22. 22. Michelle Ribeiro
  23. 23. CI/CD Platform ★ Gitlab, Github, Azure, etc. ★ A good point to start the shared ownership strategy with Dev and Ops ★ Map their user story, how they could abuse the platform ★ If you are using a SaaS platform, you remain responsible for its security - user and role restrictions, etc:
  24. 24. Containers ★ Oversimplification: a vm ★ More efficiency to deliver and deploy. ★ Shared images, more security, but the host also needs to be secure ★ Be careful with public available images.
  25. 25. Containers ★ Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users ★ Control Groups: Resource accounting and limiting. ★ Restrict control of your Docker daemon to only trusted users ★ Extra layer of safety: AppArmor, SELinux, GRSEC, etc
  26. 26. Container ★ Clair: open source project for the static analysis of vulnerabilities in appc and docker containers. ★ The Center for Internet Security (CIS) Docker Community Edition (CE) Benchmark: reference document designed to establishing a secure configuration baseline for the Docker CE Engine. Michelle Ribeiro
  27. 27. 4. Secure DevOps Technologies
  28. 28. DevOps Technologies ★ No DevOps Culture, Methodologies or Mix of tools are the same ★ Cloud Native Computing Foundation: +1.300 projects. ★ Its virtually impossible to be a DevSecOps Engineer. ;)
  29. 29. Michelle Ribeiro
  30. 30. Cluster (Kubernetes) ★ Secure as your code, container and cloud ★ Control access to the Kubernetes and its API ★ Control access to the Kubelet ★ Control the capabilities of a workload or user at runtime, such as memory usage, to prevent an attack.
  31. 31. Cloud Security in the cloud is similar to security in your on-premises data centers — only without the costs of maintaining facilities and hardware. In the cloud, you don’t have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and of out of your cloud resources.
  32. 32. Cloud For this reason, cloud security is a Shared Responsibility between the customer and AWS, where customers are responsible for “security in the cloud” and AWS is responsible for “security of the cloud.”
  33. 33. ★ Netflix's Security Monkey ★ Scout2 ★ Forseti Security & cloudsploit
  34. 34. 5. Conclusion
  35. 35. Conclusion What is DevSecOps - 3 faces: ★ To introduce Security into DevOps Culture; ★ To secure DevOps Methodologies; ★ To secure DevOps Technologies;
  36. 36. Conclusion ★ Shift left: Empower Dev&Ops to take security measures ★ 4Cs: Code, CI/CD, Container, Cluster & Cloud ★ Devs: Learn about security development practices ★ Ops & Sec: Get onboard with the programme
  37. 37. First Step GitLab’s DevSecOps Methodology Assessment https://about.gitlab.com/resources/devsecops-metho dology-assessment/
  38. 38. Thanks! @michelleribeiro

×