DevSecOps Implementation Journey
1 like1,324 views
Yohanes Syailendra discusses DevSecOps implementation at DKATALIS, an Indonesian company. Some key points: 1. DevSecOps shifts security left to earlier stages of development to find and fix vulnerabilities sooner. This allows for faster development times and more secure applications. 2. At DKATALIS, DevSecOps includes threat modeling, static application security testing (SAST), dynamic application security testing (DAST), infrastructure as code scanning, and container security throughout the development pipeline. 3. A successful DevSecOps implementation requires changing culture, processes, and architecture to establish security as a shared responsibility across development and security teams. Automation is also important to scale practices
DevSecOps Implementation Journey
- 1. PAGE 1 DEVOPS INDONESIA PAGE 1 DEVOPS INDONESIA Yohanes Syailendra, M.Kom DKATALIS Jakarta, 8 Maret 2022 DevSecOps Implementation Journey
- 3. #whoami Yohanes Syailendra, M.Kom LPT, ECSA, CEH, CPSA, CHFI, CEI • DevSecOps Lead • DFIR Consultant • Malware Researcher • Threat Intelligence Researcher • Research Leader Indonesia Honeynet Project
- 4. What is DevSecOps? → Is the ART to shifting security point of view to the left, broaden the security controls, not only on the later stage of development lifecycle, but every process of Development itself Why DevSecOps in DK? 1. Faster time-to-market because all the developer already understand what they lacking of before app release 2. Minimize the Security vulnerabilities findings at later stage (pentest) 3. More security visibility (up to Source code and third party module level) 4. Automation everywhere
- 5. Why Shifting to the Left? Pentest Pentest
- 7. In DevOps, Pipeline is everything
- 8. Security in DevOps Security Awareness Sprint Pentest
- 9. Culture> Processes> Architecture> Automation> Measurement Application Security Engineering (DevSecOps)
- 11. 10 DevSecOps Architecture Developer Commit their code to Gitlab SCM DK Developers & Tech Leads SCM and CI/CD Platform 2 CI/CD trigger scan using SCA & IAC scanner & SAST tool 3 SAST Tool Code Phase Build Phase Release Phase CI/CD trigger scan using DAST 5 Plan Phase App / Feature Design and RFC Process Define Threat Modelling for each app 1 Threat Modelling Tool DAST Tool Correlation Dashboard CI/CD trigger to scan the docker image 4 Container Security Container RASP 7 Container Security Mobile App Shielding Perform App Shielding 6 Verify Phase
- 12. DevSecOps - SAST & SCA
- 13. DevSecOps - DAST
- 14. DevSecOps - Infrastructure as Code Scanner
- 15. Establishing security as an enabler of cloud transformation within Masan Creating and embedding security engineering as a competency, to integrate security throughout the development lifecycle of applications and products Uplifting internal capability across technology teams, to ensure that people are skilled up/reskilled on security aspects of the cloud, through training and continuous enablement. Embracing a culture of review with clear processes designed to scale without impeding velocity. eg. code/config reviews with clear expectations and education of developers and reviewers Creating platforms and systems that are secure-by-design for the cloud ➢ Zero trust - Shifting from perimeter-based security to a model of no implicit trust ➢ Service identities - Establishing security based on identity rather than infrastructure ➢ Standardised policy enforcement - Integrating common policy/pipeline controls at scale ➢ Frequent, automated rollouts - Enabling rapid changes to address new threats ➢ Isolation between workloads - Giving security assurance at a micro-level for the hyperscale ➢ Reusable frameworks and hardened templates that enable secure-by-design architecture and application development in the cloud Security Engineering Defining a strong cloud security, governance and compliance posture Establishing a control-framework that provides clear guidelines and expectations of development teams Policy-as-code to automate policy management frameworks and enable continuous validation Shifting-left to integrate security tooling with engineers as early-as-possible in the application lifecycle (early feedback loops/DevSecOps) A rapid, secure onboarding path for application teams to use the cloud Enabling proactive and automated security response and remediation Integrating logging, monitoring and threat intelligence feeds to bring centralized/standardized visibility to cloud environments and identify events of high security/business risk Establishing cloud forensics and threat hunting capabilities to enable advanced security investigations and incident response Deploying security orchestration and automated response tooling and playbooks to provide rapid response and minimize the impact of cloud security incidents Security Culture Policy Management Security Operations 14 DevSecOps is not only about tooling
- 16. OWASP DevSecOps Maturity Guide: https://dsomm.timo-pagel.de/
- 17. Actionable Learning 1. AIM BIG, START SMALL, DevSecOps is a Journey not a one time project 2. Developers are your best friend. Work with them all the time 3. Don’t be a stopper for the pipeline at first, learn how DevOps works in stages 4. DevSecOps is not only about tooling, but develop a security mindset, process and cultures across developers 5. Security Team need to learn about coding practice, especially DevOps environment and tools they used, a full synergy with Developers is a must 6. Finding a vulnerability is very important, but closing the vulnerability more important 7. Do research on what technology fits your environment. Not every good tool can fit your pipelines
- 19. Stay Connected With Us! t.me/iddevops DevOps Indonesia DevOps Indonesia DevOps Indonesia @iddevops @iddevops DevOps Indonesia Scan here
- 20. PAGE 20 DEVOPS INDONESIA Alone Weare smart,together Weare brilliant THANKYOU ! Quote by Steve Anderson