• Home

  • Technology

  • Application Security at DevOps Speed - DevOpsDays Singapore 2016
20
Security at DevOps Speed Stefan Streichsbier CTO Vantage Point Founder DevSecOps Singapore [email protected] @s_streichsbier

Application Security at DevOps Speed - DevOpsDays Singapore 2016

Embed Size (px)

Citation preview

Page 1: Application Security at DevOps Speed - DevOpsDays Singapore 2016

Security at DevOps Speed

Stefan StreichsbierCTO Vantage PointFounder DevSecOps Singapore [email protected]

@s_streichsbier

Page 2: Application Security at DevOps Speed - DevOpsDays Singapore 2016

What is AppSec?

Page 3: Application Security at DevOps Speed - DevOpsDays Singapore 2016

Why does AppSec == Pain?

Page 4: Application Security at DevOps Speed - DevOpsDays Singapore 2016

Pentesters after turning a report in...

Page 5: Application Security at DevOps Speed - DevOpsDays Singapore 2016

Security

Page 6: Application Security at DevOps Speed - DevOpsDays Singapore 2016

Meanwhile outside the security camp...

Page 7: Application Security at DevOps Speed - DevOpsDays Singapore 2016

0

20

40

60

80

100

120

140

2005 2010 2015 2020

The frequency of releases over time

Releases per app per year

Towards CD

From Waterfall

The frequency increased

Page 8: Application Security at DevOps Speed - DevOpsDays Singapore 2016

8

So many releases?!

Page 9: Application Security at DevOps Speed - DevOpsDays Singapore 2016

Security

DevOps

Page 10: Application Security at DevOps Speed - DevOpsDays Singapore 2016

10

Agile + DevOps + Security = DevSecOps

Page 11: Application Security at DevOps Speed - DevOpsDays Singapore 2016

Step 1:Security as part of Agile

Page 12: Application Security at DevOps Speed - DevOpsDays Singapore 2016

1-4Weeks

24 hours

Develop

Test

Design

Plan

Output

Shippable Increment

Product Backlog Sprint Backlog

Let’s look at SCRUM

Start with understanding the process

Page 13: Application Security at DevOps Speed - DevOpsDays Singapore 2016

1-4Weeks

24 hours

Develop

Test

Design

Plan

Output

Shippable Increment

Product Backlog Sprint Backlog

Secure SCRUM

Security Training

Security Requirements

Security Activities

Threat Modelling

Design Review

Pairing

Manual Security Tests

Automatic Security Tests

Security Feature Demo Security Retrospective

Security Acceptance Criteria

Page 14: Application Security at DevOps Speed - DevOpsDays Singapore 2016

(Security)User Stories

Page 15: Application Security at DevOps Speed - DevOpsDays Singapore 2016

(Security) Unit Tests

Page 16: Application Security at DevOps Speed - DevOpsDays Singapore 2016

0

20

40

60

80

100

120

Sprint 1 Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6% Remaining Security work % App Robustness, Security Skills

Security Debt Burndown

Page 17: Application Security at DevOps Speed - DevOpsDays Singapore 2016

Step 2: DevSecOps

Page 18: Application Security at DevOps Speed - DevOpsDays Singapore 2016

VulnerabilityRepository

• Security Unit Tests

• SAST• SCA

• DAST• IAST• VA

• Security as Code• RASP• NG WAF

• Red Team• GOPT• Actual Attackers

• Sec Requirements• Design Review• Threat Modelling

AppSec Pipeline

Page 19: Application Security at DevOps Speed - DevOpsDays Singapore 2016

Instead of this ...

Page 20: Application Security at DevOps Speed - DevOpsDays Singapore 2016

...Let’s do this...


DevOps @Scale (Greek Tragedy in 3 Acts) as it was presented at DevOpsDays Charlotte 2017

DevOps @Scale (Greek Tragedy in 3 Acts) as it was presented at DevOpsDays Charlotte 2017

Technology
Hold My Beer, I'm going to do DevOps with DICOM, HIPAA, and Hospitals, or at least try - Gil Bahat - DevOpsDays Tel Aviv 2017

Hold My Beer, I'm going to do DevOps with DICOM, HIPAA, and Hospitals, or at least try - Gil Bahat - DevOpsDays Tel Aviv 2017

Technology
DevOpsDays Chicago 2014 - Controlling Devops

DevOpsDays Chicago 2014 - Controlling Devops

Technology
Devopsdays Tokyo 2012

Devopsdays Tokyo 2012

Technology
Devops at SlideShare: Talk at Devopsdays Bangalore 2011

Devops at SlideShare: Talk at Devopsdays Bangalore 2011

Technology
DevOps IRL - Jason Grimes - DevOpsDays Tel Aviv 2017

DevOps IRL - Jason Grimes - DevOpsDays Tel Aviv 2017

Technology
Scaling A Start-up DevOps Team To 10x While Scaling The System 50x - DevOpsDays Austin 2014

Scaling A Start-up DevOps Team To 10x While Scaling The System 50x - DevOpsDays Austin 2014

Software
ITIL and DevOps at War in the Enterprise - DevOpsDays Amsterdam 2014

ITIL and DevOps at War in the Enterprise - DevOpsDays Amsterdam 2014

Presentations & Public Speaking
Devopsdays barcelona

Devopsdays barcelona

Technology
Continuous Delivery - DevOps · Continuous Delivery Jez Humble, ThoughtWorks Studios @jezhumble #continuousdelivery DevOpsDays, Hamburg

Continuous Delivery - DevOps · Continuous Delivery Jez Humble, ThoughtWorks Studios @jezhumble #continuousdelivery DevOpsDays, Hamburg

Documents
Devopsdays downunder-vfinal

Devopsdays downunder-vfinal

Technology
DevOpsDays Singapore 2015

DevOpsDays Singapore 2015

Technology
It automation & devops - devopsdays istambul 2016

It automation & devops - devopsdays istambul 2016

Software
Groovy DevOps in the Cloud for DevOpsDays in Ljubljana 2014

Groovy DevOps in the Cloud for DevOpsDays in Ljubljana 2014

Software
Scaling ELK Stack - DevOpsDays Singapore

Scaling ELK Stack - DevOpsDays Singapore

Internet
Devopsdays Austin 2014 Ignite: Keep devops weird

Devopsdays Austin 2014 Ignite: Keep devops weird

Entertainment & Humor
Cloudy with a chance of devops (devopsdays London)

Cloudy with a chance of devops (devopsdays London)

Technology
Bridging DevOps Cultures DevOpsDays Silicon Valley 2015 Welcome

Bridging DevOps Cultures DevOpsDays Silicon Valley 2015 Welcome

Technology
DevOps?! That's not my job! - Nathen Harvey, Chef - DevOpsDays Tel Aviv 2016

DevOps?! That's not my job! - Nathen Harvey, Chef - DevOpsDays Tel Aviv 2016

Technology
through Events Building the Tech EcosystemCape Town DevOps Meetup DevOpsDays Cape Town DevOpsDays Global Core Team. 10 YEARS OF #devopsdays @bridgetkromhout. WHAT IS COMMUNITY? A group

through Events Building the Tech EcosystemCape Town DevOps Meetup DevOpsDays Cape Town DevOpsDays Global Core Team. 10 YEARS OF #devopsdays @bridgetkromhout. WHAT IS COMMUNITY? A group

Documents
Devopsdays Enstratus Overview

Devopsdays Enstratus Overview

Technology
DevOpsDays SV 2013: DevOps = Change

DevOpsDays SV 2013: DevOps = Change

Technology
DevOps Tactical Adoption Theory - DevOpsDays istanbul 2016

DevOps Tactical Adoption Theory - DevOpsDays istanbul 2016

Software
importancia de las personas sobre las herramientas devops - devopsdays cuba

importancia de las personas sobre las herramientas devops - devopsdays cuba

Technology
Design patterns for efficient DevOps processes - Rebecca Fitzhugh - DevOpsDays Tel Aviv 2017

Design patterns for efficient DevOps processes - Rebecca Fitzhugh - DevOpsDays Tel Aviv 2017

Technology
DevOps Measurement - DevOpsDays DC

DevOps Measurement - DevOpsDays DC

Technology
DEVOPSDAYS DETROIT DEVOPS README README.md.pdfDEVOPS README.MD CONTINUOUS DELIVERY Provides focus for deploying software faster Emphasizes automation (you must automate first) When

DEVOPSDAYS DETROIT DEVOPS README README.md.pdfDEVOPS README.MD CONTINUOUS DELIVERY Provides focus for deploying software faster Emphasizes automation (you must automate first) When

Documents
Get your brand in front of the DevOps community at DevOpsDays … · Get your brand in front of the DevOps community at DevOpsDays Auckland 2019! DevOpsDays is a worldwide community

Get your brand in front of the DevOps community at DevOpsDays … · Get your brand in front of the DevOps community at DevOpsDays Auckland 2019! DevOpsDays is a worldwide community

Documents
Let's Have a DevOps Team - Ignite Talk DevOpsDays Berlin 2015

Let's Have a DevOps Team - Ignite Talk DevOpsDays Berlin 2015

Technology
DevOps Do's and Don'ts, DevOpsDays SV 2013

DevOps Do's and Don'ts, DevOpsDays SV 2013

Technology