24
Preventing Devoops with DevSecOps Kieran Jacobsen Technical Lead – Infrastructure & Security

DevSecOps - CrikeyCon 2017

Embed Size (px)

Citation preview

Page 1: DevSecOps - CrikeyCon 2017

Preventing Devoops with

DevSecOpsKieran Jacobsen

Technical Lead – Infrastructure & Security

Page 2: DevSecOps - CrikeyCon 2017

2016 was a big year…

/ Copyright ©2017 by Readify Limited 2

Page 3: DevSecOps - CrikeyCon 2017

2017 is getting of to a bad start…

3

Page 4: DevSecOps - CrikeyCon 2017

Before DevOps

Page 5: DevSecOps - CrikeyCon 2017

DevOps

Page 6: DevSecOps - CrikeyCon 2017

But Where Is Security?

Page 7: DevSecOps - CrikeyCon 2017

DevSecOps

Clear Communication Pathways Streamlined Communication Security As Code Training Integrate Security into DevOps cycle

Page 8: DevSecOps - CrikeyCon 2017

Communication Pathways

Development Operations

Security

Page 9: DevSecOps - CrikeyCon 2017

Streamlined Communication

NO: Excel checklists Word document reports and policy documents Email attachments

Page 10: DevSecOps - CrikeyCon 2017

Streamlined Communication

YES: Backlogs/boards

Page 11: DevSecOps - CrikeyCon 2017

Streamlined Communication

YES: Backlogs/boards Support ticketing

Page 12: DevSecOps - CrikeyCon 2017

Streamlined Communication

YES: Backlogs/boards Support ticketing Markup and Git

Page 13: DevSecOps - CrikeyCon 2017

Security As Code

Application Source Code Azure ARM and AWS Cloud Formation Server Configuration – Chef, Puppet, DSC

Page 14: DevSecOps - CrikeyCon 2017

ARM Templates

Page 15: DevSecOps - CrikeyCon 2017

PowerShell DSC

Page 16: DevSecOps - CrikeyCon 2017

Training

We can’t be experts in Dev, Sec and Ops We need cross pollination of skills Starts at day 0

Page 17: DevSecOps - CrikeyCon 2017

Integrating Security

Page 18: DevSecOps - CrikeyCon 2017

Plan

Integrate security into sprint planning and reviews Consider security user stories early

Page 19: DevSecOps - CrikeyCon 2017

Code

Training! Test driven development Use of the correct tools Pull Requests

Page 20: DevSecOps - CrikeyCon 2017

Build

Static code analysis Dynamic code analysis

Page 21: DevSecOps - CrikeyCon 2017

Test

Develop security test cases Fuzzing Load testing

Page 22: DevSecOps - CrikeyCon 2017

Release & Deploy

Automated scanning upon deployment

Page 23: DevSecOps - CrikeyCon 2017

Operate & Monitor

Monitor logs Rescan for vulnerabilities Have a structured patch process Track dependencies

Page 24: DevSecOps - CrikeyCon 2017

Thank You


DevSecOps Fundamentals

DevSecOps Fundamentals

Documents
The Human Side of DevSecOps

The Human Side of DevSecOps

Software
DevSecOps Fundamentals Playbook

DevSecOps Fundamentals Playbook

Documents
addressing IoT challenges through DevSecOps

addressing IoT challenges through DevSecOps

Documents
DEVSECOPS FOR HYBRID CLOUD

DEVSECOPS FOR HYBRID CLOUD

Documents
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevSecOps

DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevSecOps

Presentations & Public Speaking
DEVSECOPS: Coding DevSecOps journey

DEVSECOPS: Coding DevSecOps journey

Technology
DevOps, DevSecOps, and vArmour - Whitepaper DevSecOps, and... · DevOps and DevSecOps DevOps has become a well established practice within many organizations. It aims to improve the

DevOps, DevSecOps, and vArmour - Whitepaper DevSecOps, and... · DevOps and DevSecOps DevOps has become a well established practice within many organizations. It aims to improve the

Documents
Presentation: DoD Enterprise DevSecOps Initiative

Presentation: DoD Enterprise DevSecOps Initiative

Documents
DevSecOps Best Practices and Considerations

DevSecOps Best Practices and Considerations

Documents
DevSecOps Overview - NYS Forum Home · 11/14/2018  · DevSecOps Overview November 14, 2018 ... 3 Benefits of DevSecOps 4 How to Implement DevSecOps 5 Summary / Questions. Security

DevSecOps Overview - NYS Forum Home · 11/14/2018  · DevSecOps Overview November 14, 2018 ... 3 Benefits of DevSecOps 4 How to Implement DevSecOps 5 Summary / Questions. Security

Documents
CrikeyCon 2015 - iOS Runtime Hacking Crash Course

CrikeyCon 2015 - iOS Runtime Hacking Crash Course

Mobile
The Journey to DevSecOps

The Journey to DevSecOps

Technology
DevSecOps Insights - Snyk

DevSecOps Insights - Snyk

Documents
DevSecOps of Containerization

DevSecOps of Containerization

Documents
What is DevSecOps? Pipelines...What is DevSecOps? DevSecOps is a methodology in which security is integrated into the entire life cycle of application development. Rather than being

What is DevSecOps? Pipelines...What is DevSecOps? DevSecOps is a methodology in which security is integrated into the entire life cycle of application development. Rather than being

Documents
DevSecOps Journey - CSO50 Conference · DevSecOps Journey 2/28/2018. 3/3/2018 Confidential –Internal Distribution 2 Agenda • DevSecOps @ Fannie Mae o The Challenges and The Promises

DevSecOps Journey - CSO50 Conference · DevSecOps Journey 2/28/2018. 3/3/2018 Confidential –Internal Distribution 2 Agenda • DevSecOps @ Fannie Mae o The Challenges and The Promises

Documents
CSA - DevSecOps v1 compressed//aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/ CodePipeline security group ... CSA - DevSecOps v1 compressed Created Date:

CSA - DevSecOps v1 compressed//aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/ CodePipeline security group ... CSA - DevSecOps v1 compressed Created Date:

Documents
DevSecOps @ Veracode: Security Champions...2017/10/04  · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused

DevSecOps @ Veracode: Security Champions...2017/10/04  · DevSecOps @ Veracode: Security Champions Chris Eng Vice President, Research 2 Chris Eng, VP of Research • 15+ years focused

Documents
Overcoming DevSecOps Challenges

Overcoming DevSecOps Challenges

Documents
DevSecOps: Why security is essential · DevSecOps doesn’t happen all at once for most organizations; it is a journey. Although the DevSecOps journey is enabled by technology, the

DevSecOps: Why security is essential · DevSecOps doesn’t happen all at once for most organizations; it is a journey. Although the DevSecOps journey is enabled by technology, the

Documents
The DevSecOps Playbook - 2017.appsec.eu DevSecOps Playbook … · 24 HRS SECURITY GROUPS-> 24 HRS ESCALATION OF PRIVS-> 5 D KNOWN VULN-> 8 HRS. ... • Identifying a strategy/roadmap

The DevSecOps Playbook - 2017.appsec.eu DevSecOps Playbook … · 24 HRS SECURITY GROUPS-> 24 HRS ESCALATION OF PRIVS-> 5 D KNOWN VULN-> 8 HRS. ... • Identifying a strategy/roadmap

Documents
오픈소스로 만나보는 DevSecOps · 삼성 오픈소스 컨퍼런스 오픈소스로 만나보는 DevSecOps 우아한형제들 조민재 minjae.cho@gmail.com 2018년 10월 18일

오픈소스로 만나보는 DevSecOps · 삼성 오픈소스 컨퍼런스 오픈소스로 만나보는 DevSecOps 우아한형제들 조민재 [email protected] 2018년 10월 18일

Documents
DevSecOps and the DevOps Superpattern

DevSecOps and the DevOps Superpattern

Technology
DevSecOps PLAYBOOK - Cprime

DevSecOps PLAYBOOK - Cprime

Documents
DoD Enterprise DevSecOps Fundamentals · 2021. 6. 11. · DevSecOps, including normalized definitions of DevSecOps concepts. Other pertinent information is captured in corresponding

DoD Enterprise DevSecOps Fundamentals · 2021. 6. 11. · DevSecOps, including normalized definitions of DevSecOps concepts. Other pertinent information is captured in corresponding

Documents
DevSecOps and the Public Sector

DevSecOps and the Public Sector

Documents
DevSecOps in 10 minutes

DevSecOps in 10 minutes

Software
DoD Enterprise DevSecOps Community of Practice · 2021. 6. 29. · ECMA and Army Software Factory's DevSecOps ... Project Ridgway are users of the DevSecOps ecosystem. 7. ... Continuous

DoD Enterprise DevSecOps Community of Practice · 2021. 6. 29. · ECMA and Army Software Factory's DevSecOps ... Project Ridgway are users of the DevSecOps ecosystem. 7. ... Continuous

Documents
DevSecOps Singapore 2017 - Security in the Delivery Pipeline

DevSecOps Singapore 2017 - Security in the Delivery Pipeline

Engineering