This talk digs into the fundamentals of DevSecOps, exploring the key principles required to advance your security practices. Considering the changes in culture, methodologies, and tools, it will demonstrate how to accelerate your team journey's from endpoint security to built-in security and how to avoid the common mistakes faced when implementing your chosen DevSecOps strategy.
6. The 3 Faces of DevOps
DevOps:
1. DevOps Culture
2. DevOps Methodologies
3. DevOps Tools
7. The 3 Faces of DevSecOps
DevSecOps:
1. Introduce Security into DevOps Culture
2. Secure DevOps Methodologies
3. Secure DevOps Tools
8. Waterfall Security
★ Infosec as gatekeepers;
★ Security audits only after deploy;
★ Too much time & money.
DevOps & (Reactive) Security
★ Innovation bottleneck
★ WAF anyone?
Michelle Ribeiro
9. Automated threads require automated responses
58% of web traffic comes from humans
Bad bots alone account for almost 22% of all web traffic
today.
This number is only expected to increase.
10. Proactive Security
★ Built-in security
★ Decentralized and automated
vulnerability assessments
★ Rapid feedback
★ Empower your Dev & Ops teams to make
security assessments
Michelle Ribeiro
12. Shift Left
★ “You build, you secure it” (Willis, John)
★ Introduce security scans into the developer’s workflow
enabling them to find and fix vulnerabilities before the
code ever leaves their hands. assureing constant
feedback,
★ Different layers of security - cost & + innovation
14. Shared Ownership
★ DevOps team: 100 DEV, 10 OPS & 1 SEC
★ Security development practices
★ Shared security library
★ Container images
★ Use DevOps tools to manage security issues and events.
★ Agile Postmortem
15. Get Onboard with the Programme
★ DevSecOps # Security as Code
★ Security as Code: automation with Ansible, Chef
★ Learn to code & use Git
★ Deep dive into the DevOps culture
★ Especial attention to CI/CD & continuous feedback
19. Code - Pre build
★ SAST (Static Application Security Testing)
★ Code inspection for coding
vulnerabilities, backdoors and malwares
★ Brakeman
Michelle Ribeiro
20. Code - Pre build
● Dependency security check - scan all
dependencies of binaries and
executables and ensure that these
dependencies, over which we often have
no control, are free from vulnerabilities or
malicious binaries
Michelle Ribeiro
21. Code - After Deploy
● DAST - Dynamic application security
testing
● A black-box security testing
methodology in which an application is
tested from the outside
Michelle Ribeiro
23. CI/CD Platform
★ Gitlab, Github, Azure, etc.
★ A good point to start the shared ownership strategy with
Dev and Ops
★ Map their user story, how they could abuse the platform
★ If you are using a SaaS platform, you remain responsible for
its security - user and role restrictions, etc:
24.
25. Containers
★ Oversimplification: a vm
★ More efficiency to deliver and deploy.
★ Shared images, more security, but the host also needs
to be secure
★ Be careful with public available images.
26. Containers
★ Docker containers are, by default, quite secure; especially if
you run your processes as non-privileged users
★ Control Groups: Resource accounting and limiting.
★ Restrict control of your Docker daemon to only trusted users
★ Extra layer of safety: AppArmor, SELinux, GRSEC, etc
27. Container
★ Clair: open source project for the static
analysis of vulnerabilities in appc and
docker containers.
★ The Center for Internet Security (CIS)
Docker Community Edition (CE)
Benchmark: reference document
designed to establishing a secure
configuration baseline for the Docker CE
Engine.
Michelle Ribeiro
29. DevOps Technologies
★ No DevOps Culture, Methodologies or Mix of tools are
the same
★ Cloud Native Computing Foundation: +1.300 projects.
★ Its virtually impossible to be a DevSecOps Engineer. ;)
33. Cluster (Kubernetes)
★ Secure as your code, container and cloud
★ Control access to the Kubernetes and its API
★ Control access to the Kubelet
★ Control the capabilities of a workload or user at
runtime, such as memory usage, to prevent an attack.
34. Cloud
Security in the cloud is similar to security in your on-premises data
centers — only without the costs of maintaining facilities and
hardware. In the cloud, you don’t have to manage physical servers or
storage devices. Instead, you use software-based security tools to
monitor and protect the flow of information into and of out of your
cloud resources.
35. Cloud
For this reason, cloud security is a Shared
Responsibility between the customer and AWS,
where customers are responsible for “security in
the cloud” and AWS is responsible for “security of
the cloud.”
38. Conclusion
What is DevSecOps - 3 faces:
★ To introduce Security into DevOps Culture;
★ To secure DevOps Methodologies;
★ To secure DevOps Technologies;
39. Conclusion
★ Shift left: Empower Dev&Ops to take security
measures
★ 4Cs: Code, CI/CD, Container, Cluster & Cloud
★ Devs: Learn about security development practices
★ Ops & Sec: Get onboard with the programme
40. First Step
GitLab’s DevSecOps Methodology Assessment
https://about.gitlab.com/resources/devsecops-metho
dology-assessment/