SlideShare ist ein Scribd-Unternehmen logo

DevSecOps

Tomas Honzak
Tomas Honzak

How to build security into the DevOps environment. Introduction to DevSecOps for DevOps / Agile enthusiasts and practitioners. Presented on Czech DevOps meet-up.

Technologie
1 von 83
Downloaden Sie, um offline zu lesen
DEVSECOPS TOMAS HONZAK, CISM CHIEF INFORMATION SECURITY OFFICER GOODDATA CORPORATION 1
TOMAS HONZAK / DEVSECOPS IMAGINE YOU HAVE A NICE AGILE COMPANY … 2
TOMAS HONZAK / DEVSECOPS IMAGINE YOU HAVE A NICE AGILE COMPANY … 2
TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
TOMAS HONZAK / DEVSECOPS WHAT SHALL YOU DO? 5
TOMAS HONZAK / DEVSECOPS WHAT SHALL YOU DO? “PANIC?” 5
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval Documented 
 Meeting
 Minutes 7
TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval Documented 
 Meeting
 Minutes Project 
 Manager 7
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES 10
TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations 10
TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations ▸ Automate your critical processes ▸ Automation helps prevent errors and omissions and provides reliable assurance both for you and your auditors 10
TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations ▸ Automate your critical processes ▸ Automation helps prevent errors and omissions and provides reliable assurance both for you and your auditors ▸ Empower your teams ▸ Like all things Agile, the teams must know what they are doing 10
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE BURP SUITE OWASP ZAP SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE BURP SUITE OWASP ZAP SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST SECURE AND AUTOMATED 11
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST SECURE AND AUTOMATED LOGGED ALERTED REVIEWED 11
TOMAS HONZAK / DEVSECOPS DEVSEC SUMMARY ▸ Move security as much to the left as possible ▸ Enhance your CI/CD pipeline with security testing tools ▸ Static Code Analysis (SonarQube) ▸ Lightweight penetration testing (Burp / OWASP ZAP) ▸ Enforce change control, approvals and SoD by gating (Zuul) ▸ “JIRA ticket = approval, peer review = SoD” ▸ Secure the environment and log everything ▸ (traceability and accountability) 12
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 APPLICATION
 LOGS
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 APPLICATION
 LOGS
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS REVIEWED AND RESOLVED
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS REVIEWED AND RESOLVED ESCALATED
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS FEEDBACK REVIEWED AND RESOLVED ESCALATED
TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS FEEDBACK REVIEWED AND RESOLVED ESCALATED
TOMAS HONZAK / DEVSECOPS SECOPS SUMMARY ▸ Security Built-in on all levels ▸ Not only “DevSec”, but also non-functional requirement — secrets management, logging, encryption, … ▸ Images / Containers / Infrastructure / Network Hardening ▸ No unnecessary SW, no default passwords, firewalls in deny-all mode, monitored bastion hosts in DMZ with session logging and strong authentication/authorization … ▸ Configuration management, automated compliance ▸ Orchestrated CM, anything-as-a-code (including fw rules, access control etc.), code reviews + alerts ▸ Automated threat intelligence, scans, detection, alerting and response ▸ Vulnerability scans, HIDS/NIDS, log monitoring and analysis, SIEM, … ▸ Combination of Operations and Security in the same on-call team ▸ Not everyone can be top-class security expert — keep these in a virtual CSIRT, not in Ops 14
TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15
TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15
TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15 SECURE 
 BY
 (DESIGN)
 DEVSECOPS
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops ▸ Faster recovery thanks to automation and *-as-a-code 16
TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops ▸ Faster recovery thanks to automation and *-as-a-code ▸ Cultural change, better communication and straightforward feedback 16
THANKS FOR YOUR ATTENTION!
 ANY QUESTIONS? Tomas Honzak tomas@honzak.cz

Empfohlen

DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 

Empfohlen

DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introductionChristian F. Nissen
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Devops
DevopsDevops
DevopsDaniel Fikre
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Weitere ähnliche Inhalte

Was ist angesagt?

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 

Was ist angesagt? (20)

DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introduction
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Devops
DevopsDevops
Devops
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 

Kürzlich hochgeladen

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Kürzlich hochgeladen (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

DevSecOps

  • 1. DEVSECOPS TOMAS HONZAK, CISM CHIEF INFORMATION SECURITY OFFICER GOODDATA CORPORATION 1
  • 2. TOMAS HONZAK / DEVSECOPS IMAGINE YOU HAVE A NICE AGILE COMPANY … 2
  • 3. TOMAS HONZAK / DEVSECOPS IMAGINE YOU HAVE A NICE AGILE COMPANY … 2
  • 4. TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
  • 5. TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
  • 6. TOMAS HONZAK / DEVSECOPS AND YOU RUN DEVOPS … 3
  • 7. TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
  • 8. TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
  • 9. TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
  • 10. TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
  • 11. TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
  • 12. TOMAS HONZAK / DEVSECOPS BUT THEN, SUDDENLY … 4
  • 13. TOMAS HONZAK / DEVSECOPS WHAT SHALL YOU DO? 5
  • 14. TOMAS HONZAK / DEVSECOPS WHAT SHALL YOU DO? “PANIC?” 5
  • 15. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 16. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 17. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 18. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 19. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 20. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 21. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 22. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 23. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 24. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 25. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 26. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 27. TOMAS HONZAK / DEVSECOPS OF COURSE NOT … YOU CAN GET CONSULTANTS! 6
  • 28. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? 7
  • 29. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? 7
  • 30. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan 7
  • 31. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval 7
  • 32. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval 7
  • 33. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval Documented 
 Meeting
 Minutes 7
  • 34. TOMAS HONZAK / DEVSECOPS BUT HOW WILL IT END UP? Release Plan Change Control Board Approval Release Manager 
 Approval Documented 
 Meeting
 Minutes Project 
 Manager 7
  • 35. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … 8
  • 36. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … 8
  • 37. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis 8
  • 38. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis 8
  • 39. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
  • 40. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
  • 41. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
  • 42. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
  • 43. TOMAS HONZAK / DEVSECOPS AND WE STILL DID NOT ADD ANY “REAL” SECURITY … Dynamic code analysis Secure Code Review 8
  • 44. TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
  • 45. TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
  • 46. TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
  • 47. TOMAS HONZAK / DEVSECOPS IF ONLY THERE WAS A BETTER WAY… 9
  • 48. TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES 10
  • 49. TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations 10
  • 50. TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations ▸ Automate your critical processes ▸ Automation helps prevent errors and omissions and provides reliable assurance both for you and your auditors 10
  • 51. TOMAS HONZAK / DEVSECOPS KEY DEVSECOPS PRINCIPLES ▸ Embrace the cultural and practical changes ▸ Integrate security in the whole lifecycle, from requirements, design and analysis to testing, deployment and operations ▸ Automate your critical processes ▸ Automation helps prevent errors and omissions and provides reliable assurance both for you and your auditors ▸ Empower your teams ▸ Like all things Agile, the teams must know what they are doing 10
  • 52. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC 11
  • 53. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE 11
  • 54. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” 11
  • 55. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SAST 11
  • 56. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE SAST 11
  • 57. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE BURP SUITE OWASP ZAP SAST 11
  • 58. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE BURP SUITE OWASP ZAP SAST 11
  • 59. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST 11
  • 60. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST SECURE AND AUTOMATED 11
  • 61. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC JIRA # TO COMMIT
 MESSAGE “COMPLIANCE
 CHECK” SIGN THE PACKAGE VERIFY THE SIGNATURE APPLY CONFIGURATION AS A CODE BURP SUITE OWASP ZAP SAST SECURE AND AUTOMATED LOGGED ALERTED REVIEWED 11
  • 62. TOMAS HONZAK / DEVSECOPS DEVSEC SUMMARY ▸ Move security as much to the left as possible ▸ Enhance your CI/CD pipeline with security testing tools ▸ Static Code Analysis (SonarQube) ▸ Lightweight penetration testing (Burp / OWASP ZAP) ▸ Enforce change control, approvals and SoD by gating (Zuul) ▸ “JIRA ticket = approval, peer review = SoD” ▸ Secure the environment and log everything ▸ (traceability and accountability) 12
  • 63. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
  • 64. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
  • 65. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13
  • 66. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 APPLICATION
 LOGS
  • 67. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 APPLICATION
 LOGS
  • 68. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS
  • 69. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS REVIEWED AND RESOLVED
  • 70. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS REVIEWED AND RESOLVED ESCALATED
  • 71. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS FEEDBACK REVIEWED AND RESOLVED ESCALATED
  • 72. TOMAS HONZAK / DEVSECOPS ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS 13 LOGGED ALERTED APPLICATION
 LOGS FEEDBACK REVIEWED AND RESOLVED ESCALATED
  • 73. TOMAS HONZAK / DEVSECOPS SECOPS SUMMARY ▸ Security Built-in on all levels ▸ Not only “DevSec”, but also non-functional requirement — secrets management, logging, encryption, … ▸ Images / Containers / Infrastructure / Network Hardening ▸ No unnecessary SW, no default passwords, firewalls in deny-all mode, monitored bastion hosts in DMZ with session logging and strong authentication/authorization … ▸ Configuration management, automated compliance ▸ Orchestrated CM, anything-as-a-code (including fw rules, access control etc.), code reviews + alerts ▸ Automated threat intelligence, scans, detection, alerting and response ▸ Vulnerability scans, HIDS/NIDS, log monitoring and analysis, SIEM, … ▸ Combination of Operations and Security in the same on-call team ▸ Not everyone can be top-class security expert — keep these in a virtual CSIRT, not in Ops 14
  • 74. TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15
  • 75. TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15
  • 76. TOMAS HONZAK / DEVSECOPS OH, AND BY THE WAY … WERE YOU WORRIED ABOUT 15 SECURE 
 BY
 (DESIGN)
 DEVSECOPS
  • 77. TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? 16
  • 78. TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: 16
  • 79. TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities 16
  • 80. TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops 16
  • 81. TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops ▸ Faster recovery thanks to automation and *-as-a-code 16
  • 82. TOMAS HONZAK / DEVSECOPS OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW? Of course not :) :(, but you decreased the risks a lot: ▸ Increased prevention and detection capabilities ▸ Faster response, no handover between Security and Ops ▸ Faster recovery thanks to automation and *-as-a-code ▸ Cultural change, better communication and straightforward feedback 16
  • 83. THANKS FOR YOUR ATTENTION!
 ANY QUESTIONS? Tomas Honzak tomas@honzak.cz