SlideShare ist ein Scribd-Unternehmen logo
1 von 41
Downloaden Sie, um offline zu lesen
Talk
DevSecOps
to me: An Introduction
Michelle Ribeiro
★ CEO @ SPIRITSEC
★ InfoSec & Open Source Pro since 1999
★ DevOpsDays, LPI, Debian Project
★ Debian Security Manual & Debconf em
2004 (Ubuntu launching site)
Innovation 90%
Tech 85%
GovTech 83%
Travel 65%
Michelle Ribeiro
★ Bsc International Relations @ LSE
★ MA Diplomacy & International Studies @
UoL - Chevening Scholarship
★ Innovation Strategy @ MIT
1. What is
DevSecOps?
https://www.infoq.com/presentations/devsecops-2019/
The 3 Faces of DevOps
DevOps:
1. DevOps Culture
2. DevOps Methodologies
3. DevOps Tools
The 3 Faces of DevSecOps
DevSecOps:
1. Introduce Security into DevOps Culture
2. Secure DevOps Methodologies
3. Secure DevOps Tools
Waterfall Security
★ Infosec as gatekeepers;
★ Security audits only after deploy;
★ Too much time & money.
DevOps & (Reactive) Security
★ Innovation bottleneck
★ WAF anyone?
Michelle Ribeiro
Automated threads require automated responses
58% of web traffic comes from humans
Bad bots alone account for almost 22% of all web traffic
today.
This number is only expected to increase.
Proactive Security
★ Built-in security
★ Decentralized and automated
vulnerability assessments
★ Rapid feedback
★ Empower your Dev & Ops teams to make
security assessments
Michelle Ribeiro
2. Introduce Security
into DevOps Culture
Shift Left
★ “You build, you secure it” (Willis, John)
★ Introduce security scans into the developer’s workflow
enabling them to find and fix vulnerabilities before the
code ever leaves their hands. assureing constant
feedback,
★ Different layers of security - cost & + innovation
Michelle Ribeiro
Shared Ownership
★ DevOps team: 100 DEV, 10 OPS & 1 SEC
★ Security development practices
★ Shared security library
★ Container images
★ Use DevOps tools to manage security issues and events.
★ Agile Postmortem
Get Onboard with the Programme
★ DevSecOps # Security as Code
★ Security as Code: automation with Ansible, Chef
★ Learn to code & use Git
★ Deep dive into the DevOps culture
★ Especial attention to CI/CD & continuous feedback
3. Secure DevOps
Methodologies
DevOps Methodologies
★ Microservices, APIs, CI/CD, etc, etc, etc…
★ No Devops environment is equal to another
★ Cloud Native Security’s 4Cs:
1. Code
2. Container
3. Cluster
4. Cloud
Michelle Ribeiro
Code - Pre build
★ SAST (Static Application Security Testing)
★ Code inspection for coding
vulnerabilities, backdoors and malwares
★ Brakeman
Michelle Ribeiro
Code - Pre build
● Dependency security check - scan all
dependencies of binaries and
executables and ensure that these
dependencies, over which we often have
no control, are free from vulnerabilities or
malicious binaries
Michelle Ribeiro
Code - After Deploy
● DAST - Dynamic application security
testing
● A black-box security testing
methodology in which an application is
tested from the outside
Michelle Ribeiro
Michelle Ribeiro
CI/CD Platform
★ Gitlab, Github, Azure, etc.
★ A good point to start the shared ownership strategy with
Dev and Ops
★ Map their user story, how they could abuse the platform
★ If you are using a SaaS platform, you remain responsible for
its security - user and role restrictions, etc:
Containers
★ Oversimplification: a vm
★ More efficiency to deliver and deploy.
★ Shared images, more security, but the host also needs
to be secure
★ Be careful with public available images.
Containers
★ Docker containers are, by default, quite secure; especially if
you run your processes as non-privileged users
★ Control Groups: Resource accounting and limiting.
★ Restrict control of your Docker daemon to only trusted users
★ Extra layer of safety: AppArmor, SELinux, GRSEC, etc
Container
★ Clair: open source project for the static
analysis of vulnerabilities in appc and
docker containers.
★ The Center for Internet Security (CIS)
Docker Community Edition (CE)
Benchmark: reference document
designed to establishing a secure
configuration baseline for the Docker CE
Engine.
Michelle Ribeiro
4. Secure DevOps
Technologies
DevOps Technologies
★ No DevOps Culture, Methodologies or Mix of tools are
the same
★ Cloud Native Computing Foundation: +1.300 projects.
★ Its virtually impossible to be a DevSecOps Engineer. ;)
Michelle Ribeiro
Cluster (Kubernetes)
★ Secure as your code, container and cloud
★ Control access to the Kubernetes and its API
★ Control access to the Kubelet
★ Control the capabilities of a workload or user at
runtime, such as memory usage, to prevent an attack.
Cloud
Security in the cloud is similar to security in your on-premises data
centers — only without the costs of maintaining facilities and
hardware. In the cloud, you don’t have to manage physical servers or
storage devices. Instead, you use software-based security tools to
monitor and protect the flow of information into and of out of your
cloud resources.
Cloud
For this reason, cloud security is a Shared
Responsibility between the customer and AWS,
where customers are responsible for “security in
the cloud” and AWS is responsible for “security of
the cloud.”
★ Netflix's Security Monkey
★ Scout2
★ Forseti Security &
cloudsploit
5. Conclusion
Conclusion
What is DevSecOps - 3 faces:
★ To introduce Security into DevOps Culture;
★ To secure DevOps Methodologies;
★ To secure DevOps Technologies;
Conclusion
★ Shift left: Empower Dev&Ops to take security
measures
★ 4Cs: Code, CI/CD, Container, Cluster & Cloud
★ Devs: Learn about security development practices
★ Ops & Sec: Get onboard with the programme
First Step
GitLab’s DevSecOps Methodology Assessment
https://about.gitlab.com/resources/devsecops-metho
dology-assessment/
Thanks!
@michelleribeiro

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops  security and compliance at the speed of continuous delivery - owaspDev secops  security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 

Was ist angesagt? (20)

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops  security and compliance at the speed of continuous delivery - owaspDev secops  security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASP
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 

Ähnlich wie Talk DevSecOps to me

What skills are necessary to become a DevOps Engineer.pdf
What skills are necessary to become a DevOps Engineer.pdfWhat skills are necessary to become a DevOps Engineer.pdf
What skills are necessary to become a DevOps Engineer.pdfprabhuseshu
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Shannon Williams
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenryDevSecCon
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.anilpmuvvala
 
What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.anilpmuvvala
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basisAnkita Bhalla
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24
 
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT LeadershipDevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT LeadershipBryan Len
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayGordon Haff
 
Docker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationDocker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationAlex Vranceanu
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
DevSecOps: Security With DevOps
DevSecOps: Security With DevOpsDevSecOps: Security With DevOps
DevSecOps: Security With DevOpsKnoldus Inc.
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 

Ähnlich wie Talk DevSecOps to me (20)

What skills are necessary to become a DevOps Engineer.pdf
What skills are necessary to become a DevOps Engineer.pdfWhat skills are necessary to become a DevOps Engineer.pdf
What skills are necessary to become a DevOps Engineer.pdf
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.What_is_DevOps_how_it's_very_useful_in_daily_Life.
What_is_DevOps_how_it's_very_useful_in_daily_Life.
 
What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.What is DevOps And How It Is Useful In Real life.
What is DevOps And How It Is Useful In Real life.
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT LeadershipDevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
DevSecOps IT Modernization Training Bootcamp for Security Staff, IT Leadership
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Docker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - PresentationDocker Birthday #5 Meetup Cluj - Presentation
Docker Birthday #5 Meetup Cluj - Presentation
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
DevSecOps: Security With DevOps
DevSecOps: Security With DevOpsDevSecOps: Security With DevOps
DevSecOps: Security With DevOps
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 

Kürzlich hochgeladen

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 

Kürzlich hochgeladen (20)

Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 

Talk DevSecOps to me

  • 2. Michelle Ribeiro ★ CEO @ SPIRITSEC ★ InfoSec & Open Source Pro since 1999 ★ DevOpsDays, LPI, Debian Project ★ Debian Security Manual & Debconf em 2004 (Ubuntu launching site) Innovation 90% Tech 85% GovTech 83% Travel 65%
  • 3. Michelle Ribeiro ★ Bsc International Relations @ LSE ★ MA Diplomacy & International Studies @ UoL - Chevening Scholarship ★ Innovation Strategy @ MIT
  • 6. The 3 Faces of DevOps DevOps: 1. DevOps Culture 2. DevOps Methodologies 3. DevOps Tools
  • 7. The 3 Faces of DevSecOps DevSecOps: 1. Introduce Security into DevOps Culture 2. Secure DevOps Methodologies 3. Secure DevOps Tools
  • 8. Waterfall Security ★ Infosec as gatekeepers; ★ Security audits only after deploy; ★ Too much time & money. DevOps & (Reactive) Security ★ Innovation bottleneck ★ WAF anyone? Michelle Ribeiro
  • 9. Automated threads require automated responses 58% of web traffic comes from humans Bad bots alone account for almost 22% of all web traffic today. This number is only expected to increase.
  • 10. Proactive Security ★ Built-in security ★ Decentralized and automated vulnerability assessments ★ Rapid feedback ★ Empower your Dev & Ops teams to make security assessments Michelle Ribeiro
  • 11. 2. Introduce Security into DevOps Culture
  • 12. Shift Left ★ “You build, you secure it” (Willis, John) ★ Introduce security scans into the developer’s workflow enabling them to find and fix vulnerabilities before the code ever leaves their hands. assureing constant feedback, ★ Different layers of security - cost & + innovation
  • 14. Shared Ownership ★ DevOps team: 100 DEV, 10 OPS & 1 SEC ★ Security development practices ★ Shared security library ★ Container images ★ Use DevOps tools to manage security issues and events. ★ Agile Postmortem
  • 15. Get Onboard with the Programme ★ DevSecOps # Security as Code ★ Security as Code: automation with Ansible, Chef ★ Learn to code & use Git ★ Deep dive into the DevOps culture ★ Especial attention to CI/CD & continuous feedback
  • 17. DevOps Methodologies ★ Microservices, APIs, CI/CD, etc, etc, etc… ★ No Devops environment is equal to another ★ Cloud Native Security’s 4Cs: 1. Code 2. Container 3. Cluster 4. Cloud
  • 19. Code - Pre build ★ SAST (Static Application Security Testing) ★ Code inspection for coding vulnerabilities, backdoors and malwares ★ Brakeman Michelle Ribeiro
  • 20. Code - Pre build ● Dependency security check - scan all dependencies of binaries and executables and ensure that these dependencies, over which we often have no control, are free from vulnerabilities or malicious binaries Michelle Ribeiro
  • 21. Code - After Deploy ● DAST - Dynamic application security testing ● A black-box security testing methodology in which an application is tested from the outside Michelle Ribeiro
  • 23. CI/CD Platform ★ Gitlab, Github, Azure, etc. ★ A good point to start the shared ownership strategy with Dev and Ops ★ Map their user story, how they could abuse the platform ★ If you are using a SaaS platform, you remain responsible for its security - user and role restrictions, etc:
  • 24.
  • 25. Containers ★ Oversimplification: a vm ★ More efficiency to deliver and deploy. ★ Shared images, more security, but the host also needs to be secure ★ Be careful with public available images.
  • 26. Containers ★ Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users ★ Control Groups: Resource accounting and limiting. ★ Restrict control of your Docker daemon to only trusted users ★ Extra layer of safety: AppArmor, SELinux, GRSEC, etc
  • 27. Container ★ Clair: open source project for the static analysis of vulnerabilities in appc and docker containers. ★ The Center for Internet Security (CIS) Docker Community Edition (CE) Benchmark: reference document designed to establishing a secure configuration baseline for the Docker CE Engine. Michelle Ribeiro
  • 29. DevOps Technologies ★ No DevOps Culture, Methodologies or Mix of tools are the same ★ Cloud Native Computing Foundation: +1.300 projects. ★ Its virtually impossible to be a DevSecOps Engineer. ;)
  • 30.
  • 31.
  • 33. Cluster (Kubernetes) ★ Secure as your code, container and cloud ★ Control access to the Kubernetes and its API ★ Control access to the Kubelet ★ Control the capabilities of a workload or user at runtime, such as memory usage, to prevent an attack.
  • 34. Cloud Security in the cloud is similar to security in your on-premises data centers — only without the costs of maintaining facilities and hardware. In the cloud, you don’t have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and of out of your cloud resources.
  • 35. Cloud For this reason, cloud security is a Shared Responsibility between the customer and AWS, where customers are responsible for “security in the cloud” and AWS is responsible for “security of the cloud.”
  • 36. ★ Netflix's Security Monkey ★ Scout2 ★ Forseti Security & cloudsploit
  • 38. Conclusion What is DevSecOps - 3 faces: ★ To introduce Security into DevOps Culture; ★ To secure DevOps Methodologies; ★ To secure DevOps Technologies;
  • 39. Conclusion ★ Shift left: Empower Dev&Ops to take security measures ★ 4Cs: Code, CI/CD, Container, Cluster & Cloud ★ Devs: Learn about security development practices ★ Ops & Sec: Get onboard with the programme
  • 40. First Step GitLab’s DevSecOps Methodology Assessment https://about.gitlab.com/resources/devsecops-metho dology-assessment/