SlideShare a Scribd company logo

DevSecOps | DevOps Sec

Rubal Jain
Rubal Jain

DevSecOps enables organizations to deliver secure software at DevOps speed. Development - Software releases and updates Operations - Reliability Performance & Scaling Security - Confidentiality, Availability, Integrity

1 of 20
Download to read offline
DevSecOps “Everyone is responsible for security”
Quick look at DevOps DevOps is a set of practices that automates the processes between software development and IT teams, in order that they can build, test, and release software faster and more reliably. It's a firm handshake between development and operations that emphasizes a shift in mindset, better collaboration, and tighter integration. It unites agile, continuous delivery, automation, and much more, to help development and operations teams be more efficient, innovate faster, and deliver higher value to businesses and customers. Source: https://en.wikipedia.org/wiki/DevOps
Better, faster, cheaper software with DevOps but is it secure? COMPANY DEPLOY FREQUENCY DEPLOY LEAD TIME RELIABILITY CUSTOMER RESPONSIVENESS AMAZON 23000 / day Minutes High High GOOGLE 5500 / day Minutes High High NETFLIX 500 /day Minutes High High FACEBOOK 1 / day Minutes High High TWITTER 3 / week Minutes High High TYPICAL ENTERPRISE Once in every 9 Months Months or quarters Low / Medium Low / Medium
Meet DevSecOps DevSecOps seeks to achieve greater efficiency and productivity by incorporating security principles within DevOps process. DevSecOps enables organisations to deliver the secure software at DevOps speed. Source: https://www.checkmarx.com/wp-content/uploads/2016/07/Dev-Software-releases-.png
DevSecOps in 3 key categories ProcessesCulture Technologies
Culture ● Communication and transparency ● High trust environment ● Continuous improvement ● Everyone is responsible for security ● Automate as much as possible ● Everything as code ○ Infrastructure as code ○ Security as code ○ Compliance as code
Processes Secure SDLC
DevSecOps | DevOps Sec
How do we integrate AppSec pipeline in DevOps?
How do we integrate AppSec pipeline in DevOps? AppSec Pipeline Unit Tests Integration Tests Code Analysis Create Docker Image Start Docker Image Load Tests Deploy Load Test Server Test Production git DevOps Pipeline
Technologies - Incorporate the security principles in DevOps SDLC Technologies Requirements - Code SAST, IDE Plugins Test Gauntlt, DAST (Dradis, Scout2, OpenVas, ZAP) Configure Everything as code Maintenance Patch Management (Phoenix) Monitor Auditing, Attack, RASP, ELK
Trainings Secure Coding Practices It will help organisations to develop the secure code in order to eliminate the risks and threats at development stage. ● Secure code trainings ● Code review ● Best coding practices
Code DevSecOps enables developers to write the secure code by integrating the security plugins in IDE. SAST - Secure code analysis tool, also referred to as Static Application Security Testing tools, designed to analyze the source code to help find the security flaws. ● Sonarqube ● Checkmarx ● IBM App Scan
Test - Automate as much as possible. DAST - A dynamic analysis security testing tool, or a DAST test, is an application security solution that can help to find certain vulnerabilities in web applications while they are running in production Gauntlt - Gauntlt provides hooks to a variety of security tools and puts them within reach of security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing and communication between groups and create actionable tests that can be hooked into your deploy and testing processes. ● Curl ● nmap ● sqlmap ● Garmr ● sslyze
Configure Everything as code ● Infrastructure as code ● Security as code Platform requirements, server hardening etc. should not be a problem in today’s world. We should learn to codify as much as possible. It enables Dev, Sec and Ops team to perform actions on a single click. ● Docker - Containerized applications ● Kubernetes - Automated deployment, scaling and management of containerized applications
Maintenance Patch Management Phoenix deployment strategies can help organisation to quickly deploy the completely new instance of the application that is patched to the production environment and parallely destroy the existing instance. It would help organisation to eliminate all the configuration drift or even technical issues at DevOps speed.
Monitor Ability to monitor the secure SDLC. ● Auditing ● Attack Visibility
RASP Runtime application self-protection security (RASP) It is a security technology that is built into an application and can detect and then prevent real-time application attacks. RASP prevents attacks by “self-protecting” or reconfiguring automatically without human intervention in response to certain conditions (threats, faults, etc.)
ChatSecOps ChatSecOps enables organisations to make the safe service portals which are being used for chatting. For eg: Slack, HipChat etc. Ex: Imagine a simple chat command to push the code to QA and it’s done.
Thank You

More Related Content

DevSecOps | DevOps Sec

  • 2. Quick look at DevOps DevOps is a set of practices that automates the processes between software development and IT teams, in order that they can build, test, and release software faster and more reliably. It's a firm handshake between development and operations that emphasizes a shift in mindset, better collaboration, and tighter integration. It unites agile, continuous delivery, automation, and much more, to help development and operations teams be more efficient, innovate faster, and deliver higher value to businesses and customers. Source: https://en.wikipedia.org/wiki/DevOps
  • 3. Better, faster, cheaper software with DevOps but is it secure? COMPANY DEPLOY FREQUENCY DEPLOY LEAD TIME RELIABILITY CUSTOMER RESPONSIVENESS AMAZON 23000 / day Minutes High High GOOGLE 5500 / day Minutes High High NETFLIX 500 /day Minutes High High FACEBOOK 1 / day Minutes High High TWITTER 3 / week Minutes High High TYPICAL ENTERPRISE Once in every 9 Months Months or quarters Low / Medium Low / Medium
  • 4. Meet DevSecOps DevSecOps seeks to achieve greater efficiency and productivity by incorporating security principles within DevOps process. DevSecOps enables organisations to deliver the secure software at DevOps speed. Source: https://www.checkmarx.com/wp-content/uploads/2016/07/Dev-Software-releases-.png
  • 5. DevSecOps in 3 key categories ProcessesCulture Technologies
  • 6. Culture ● Communication and transparency ● High trust environment ● Continuous improvement ● Everyone is responsible for security ● Automate as much as possible ● Everything as code ○ Infrastructure as code ○ Security as code ○ Compliance as code
  • 9. How do we integrate AppSec pipeline in DevOps?
  • 10. How do we integrate AppSec pipeline in DevOps? AppSec Pipeline Unit Tests Integration Tests Code Analysis Create Docker Image Start Docker Image Load Tests Deploy Load Test Server Test Production git DevOps Pipeline
  • 11. Technologies - Incorporate the security principles in DevOps SDLC Technologies Requirements - Code SAST, IDE Plugins Test Gauntlt, DAST (Dradis, Scout2, OpenVas, ZAP) Configure Everything as code Maintenance Patch Management (Phoenix) Monitor Auditing, Attack, RASP, ELK
  • 12. Trainings Secure Coding Practices It will help organisations to develop the secure code in order to eliminate the risks and threats at development stage. ● Secure code trainings ● Code review ● Best coding practices
  • 13. Code DevSecOps enables developers to write the secure code by integrating the security plugins in IDE. SAST - Secure code analysis tool, also referred to as Static Application Security Testing tools, designed to analyze the source code to help find the security flaws. ● Sonarqube ● Checkmarx ● IBM App Scan
  • 14. Test - Automate as much as possible. DAST - A dynamic analysis security testing tool, or a DAST test, is an application security solution that can help to find certain vulnerabilities in web applications while they are running in production Gauntlt - Gauntlt provides hooks to a variety of security tools and puts them within reach of security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing and communication between groups and create actionable tests that can be hooked into your deploy and testing processes. ● Curl ● nmap ● sqlmap ● Garmr ● sslyze
  • 15. Configure Everything as code ● Infrastructure as code ● Security as code Platform requirements, server hardening etc. should not be a problem in today’s world. We should learn to codify as much as possible. It enables Dev, Sec and Ops team to perform actions on a single click. ● Docker - Containerized applications ● Kubernetes - Automated deployment, scaling and management of containerized applications
  • 16. Maintenance Patch Management Phoenix deployment strategies can help organisation to quickly deploy the completely new instance of the application that is patched to the production environment and parallely destroy the existing instance. It would help organisation to eliminate all the configuration drift or even technical issues at DevOps speed.
  • 17. Monitor Ability to monitor the secure SDLC. ● Auditing ● Attack Visibility
  • 18. RASP Runtime application self-protection security (RASP) It is a security technology that is built into an application and can detect and then prevent real-time application attacks. RASP prevents attacks by “self-protecting” or reconfiguring automatically without human intervention in response to certain conditions (threats, faults, etc.)
  • 19. ChatSecOps ChatSecOps enables organisations to make the safe service portals which are being used for chatting. For eg: Slack, HipChat etc. Ex: Imagine a simple chat command to push the code to QA and it’s done.