How to build security into the DevOps environment. Introduction to DevSecOps for DevOps / Agile enthusiasts and practitioners. Presented on Czech DevOps meet-up.
30. TOMAS HONZAK / DEVSECOPS
BUT HOW WILL IT END UP?
Release Plan
7
31. TOMAS HONZAK / DEVSECOPS
BUT HOW WILL IT END UP?
Release Plan Change Control Board Approval
7
32. TOMAS HONZAK / DEVSECOPS
BUT HOW WILL IT END UP?
Release Plan Change Control Board Approval
Release Manager
Approval
7
33. TOMAS HONZAK / DEVSECOPS
BUT HOW WILL IT END UP?
Release Plan Change Control Board Approval
Release Manager
Approval
Documented
Meeting
Minutes
7
34. TOMAS HONZAK / DEVSECOPS
BUT HOW WILL IT END UP?
Release Plan Change Control Board Approval
Release Manager
Approval
Documented
Meeting
Minutes
Project
Manager
7
35. TOMAS HONZAK / DEVSECOPS
AND WE STILL DID NOT ADD ANY “REAL” SECURITY …
8
36. TOMAS HONZAK / DEVSECOPS
AND WE STILL DID NOT ADD ANY “REAL” SECURITY …
8
37. TOMAS HONZAK / DEVSECOPS
AND WE STILL DID NOT ADD ANY “REAL” SECURITY …
Dynamic code analysis
8
38. TOMAS HONZAK / DEVSECOPS
AND WE STILL DID NOT ADD ANY “REAL” SECURITY …
Dynamic code analysis
8
39. TOMAS HONZAK / DEVSECOPS
AND WE STILL DID NOT ADD ANY “REAL” SECURITY …
Dynamic code analysis
Secure Code Review
8
40. TOMAS HONZAK / DEVSECOPS
AND WE STILL DID NOT ADD ANY “REAL” SECURITY …
Dynamic code analysis
Secure Code Review
8
41. TOMAS HONZAK / DEVSECOPS
AND WE STILL DID NOT ADD ANY “REAL” SECURITY …
Dynamic code analysis
Secure Code Review
8
42. TOMAS HONZAK / DEVSECOPS
AND WE STILL DID NOT ADD ANY “REAL” SECURITY …
Dynamic code analysis
Secure Code Review
8
43. TOMAS HONZAK / DEVSECOPS
AND WE STILL DID NOT ADD ANY “REAL” SECURITY …
Dynamic code analysis
Secure Code Review
8
44. TOMAS HONZAK / DEVSECOPS
IF ONLY THERE WAS A BETTER WAY…
9
45. TOMAS HONZAK / DEVSECOPS
IF ONLY THERE WAS A BETTER WAY…
9
46. TOMAS HONZAK / DEVSECOPS
IF ONLY THERE WAS A BETTER WAY…
9
47. TOMAS HONZAK / DEVSECOPS
IF ONLY THERE WAS A BETTER WAY…
9
49. TOMAS HONZAK / DEVSECOPS
KEY DEVSECOPS PRINCIPLES
▸ Embrace the cultural and practical changes
▸ Integrate security in the whole lifecycle, from requirements,
design and analysis to testing, deployment and operations
10
50. TOMAS HONZAK / DEVSECOPS
KEY DEVSECOPS PRINCIPLES
▸ Embrace the cultural and practical changes
▸ Integrate security in the whole lifecycle, from requirements,
design and analysis to testing, deployment and operations
▸ Automate your critical processes
▸ Automation helps prevent errors and omissions and provides
reliable assurance both for you and your auditors
10
51. TOMAS HONZAK / DEVSECOPS
KEY DEVSECOPS PRINCIPLES
▸ Embrace the cultural and practical changes
▸ Integrate security in the whole lifecycle, from requirements,
design and analysis to testing, deployment and operations
▸ Automate your critical processes
▸ Automation helps prevent errors and omissions and provides
reliable assurance both for you and your auditors
▸ Empower your teams
▸ Like all things Agile, the teams must know what they are doing
10
52. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC
11
53. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC
JIRA # TO COMMIT
MESSAGE
11
54. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC
JIRA # TO COMMIT
MESSAGE
“COMPLIANCE
CHECK”
11
55. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC
JIRA # TO COMMIT
MESSAGE
“COMPLIANCE
CHECK”
SAST
11
56. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC
JIRA # TO COMMIT
MESSAGE
“COMPLIANCE
CHECK”
SIGN THE PACKAGE
SAST
11
57. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC
JIRA # TO COMMIT
MESSAGE
“COMPLIANCE
CHECK”
SIGN THE PACKAGE
BURP SUITE
OWASP ZAP
SAST
11
58. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC
JIRA # TO COMMIT
MESSAGE
“COMPLIANCE
CHECK”
SIGN THE PACKAGE VERIFY THE SIGNATURE
BURP SUITE
OWASP ZAP
SAST
11
59. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC
JIRA # TO COMMIT
MESSAGE
“COMPLIANCE
CHECK”
SIGN THE PACKAGE VERIFY THE SIGNATURE
APPLY CONFIGURATION AS A CODE
BURP SUITE
OWASP ZAP
SAST
11
60. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC
JIRA # TO COMMIT
MESSAGE
“COMPLIANCE
CHECK”
SIGN THE PACKAGE VERIFY THE SIGNATURE
APPLY CONFIGURATION AS A CODE
BURP SUITE
OWASP ZAP
SAST
SECURE AND AUTOMATED
11
61. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 1 - DEVSEC
JIRA # TO COMMIT
MESSAGE
“COMPLIANCE
CHECK”
SIGN THE PACKAGE VERIFY THE SIGNATURE
APPLY CONFIGURATION AS A CODE
BURP SUITE
OWASP ZAP
SAST
SECURE AND AUTOMATED
LOGGED
ALERTED
REVIEWED
11
62. TOMAS HONZAK / DEVSECOPS
DEVSEC SUMMARY
▸ Move security as much to the left as possible
▸ Enhance your CI/CD pipeline with security testing tools
▸ Static Code Analysis (SonarQube)
▸ Lightweight penetration testing (Burp / OWASP ZAP)
▸ Enforce change control, approvals and SoD by gating (Zuul)
▸ “JIRA ticket = approval, peer review = SoD”
▸ Secure the environment and log everything
▸ (traceability and accountability)
12
63. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS
13
64. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS
13
65. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS
13
66. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS
13
APPLICATION
LOGS
67. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS
13
APPLICATION
LOGS
68. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS
13
LOGGED
ALERTED
APPLICATION
LOGS
69. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS
13
LOGGED
ALERTED
APPLICATION
LOGS
REVIEWED AND RESOLVED
70. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS
13
LOGGED
ALERTED
APPLICATION
LOGS
REVIEWED AND RESOLVED
ESCALATED
71. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS
13
LOGGED
ALERTED
APPLICATION
LOGS
FEEDBACK
REVIEWED AND RESOLVED
ESCALATED
72. TOMAS HONZAK / DEVSECOPS
ADDING THE “SEC” INTO DEVOPS PART 2 - SECOPS
13
LOGGED
ALERTED
APPLICATION
LOGS
FEEDBACK
REVIEWED AND RESOLVED
ESCALATED
73. TOMAS HONZAK / DEVSECOPS
SECOPS SUMMARY
▸ Security Built-in on all levels
▸ Not only “DevSec”, but also non-functional requirement — secrets management, logging, encryption, …
▸ Images / Containers / Infrastructure / Network Hardening
▸ No unnecessary SW, no default passwords, firewalls in deny-all mode, monitored bastion hosts in DMZ
with session logging and strong authentication/authorization …
▸ Configuration management, automated compliance
▸ Orchestrated CM, anything-as-a-code (including fw rules, access control etc.), code reviews + alerts
▸ Automated threat intelligence, scans, detection, alerting and response
▸ Vulnerability scans, HIDS/NIDS, log monitoring and analysis, SIEM, …
▸ Combination of Operations and Security in the same on-call team
▸ Not everyone can be top-class security expert — keep these in a virtual CSIRT, not in Ops
14
74. TOMAS HONZAK / DEVSECOPS
OH, AND BY THE WAY … WERE YOU WORRIED ABOUT
15
75. TOMAS HONZAK / DEVSECOPS
OH, AND BY THE WAY … WERE YOU WORRIED ABOUT
15
76. TOMAS HONZAK / DEVSECOPS
OH, AND BY THE WAY … WERE YOU WORRIED ABOUT
15
SECURE
BY
(DESIGN)
DEVSECOPS
77. TOMAS HONZAK / DEVSECOPS
OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW?
16
78. TOMAS HONZAK / DEVSECOPS
OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW?
Of course not :) :(, but you decreased the risks a lot:
16
79. TOMAS HONZAK / DEVSECOPS
OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW?
Of course not :) :(, but you decreased the risks a lot:
▸ Increased prevention and detection capabilities
16
80. TOMAS HONZAK / DEVSECOPS
OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW?
Of course not :) :(, but you decreased the risks a lot:
▸ Increased prevention and detection capabilities
▸ Faster response, no handover between Security and Ops
16
81. TOMAS HONZAK / DEVSECOPS
OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW?
Of course not :) :(, but you decreased the risks a lot:
▸ Increased prevention and detection capabilities
▸ Faster response, no handover between Security and Ops
▸ Faster recovery thanks to automation and *-as-a-code
16
82. TOMAS HONZAK / DEVSECOPS
OK, WE DID THAT ALL. ARE WE 100 % SECURE NOW?
Of course not :) :(, but you decreased the risks a lot:
▸ Increased prevention and detection capabilities
▸ Faster response, no handover between Security and Ops
▸ Faster recovery thanks to automation and *-as-a-code
▸ Cultural change, better communication and
straightforward feedback
16