![[DevSecOps Live] DevSecOps: Challenges and Opportunities](https://cdn.slidesharecdn.com/ss_thumbnails/20200316dsochallengesopportunities-200416111818-thumbnail.jpg?width=560&fit=bounds)
Ad
More Related Content
What's hot (20)
Similar to Introduction to DevSecOps (20)
Ad
Recently uploaded (20)
Ad
Introduction to DevSecOps
- 1. Abhimanyu Bhogwan InfoSec Consultant with 10 yrs of experience in multiple security domains Hobbies: yoga , driving , music
- 3. What is DevOps? • DevOps (development and operations) is an enterprise software development phrase used to mean a type of agile relationship between development and IT operations. • The goal of DevOps is to change and improve the relationship by advocating better communication and collaboration between these two business units
- 5. What is DevSecOps? • DevSecOps refers to ‘DevOps with integrated security.’ • DevSecOps promotes ‘security is a shared responsibility’ culture wherein security is not a responsibility for only one specific team, but everyone in the team is accountable for security. • DevSecOps aims to integrate security controls in the early stage of software development, rather than implementing at the end.
- 6. Integrating Security in DevOps
- 7. Why do we need DevSecOps • DevOps’ focus on speed often leaves security teams flat-footed and reactive • Cultural resistance to security • DevOps and cloud environments • Containers and other tools carry their own risks • Unmanaged secrets and poor privileged access controls open dangerous backdoors • to help expedite workflows, DevOps teams may allow almost unrestricted access to privileged accounts (root, admin, etc.)
- 8. Uber Delivers a Cautionary Lesson for the DevOps Culture • It’s arguable what was more egregious about Uber’s breach of information of 57 million customers as well as roughly 600,000 drivers; the fact that Uber paid hackers hush money to conceal the hack from the public for months, or the reckless disregard for proper security that led to the hack. • In this instance, an Uber employee published credentials on GitHub, a popular cloud-based, open- source code repository used by developers. A hacker simply captured the Uber credentials off GitHub, then leveraged them for privileged access on Uber’s Amazon AWS Instances. As inexcusable (or at least as inadvisable) as this practice sounds, developers commonly embed authentication credentials and other DevOps secrets haphazardly into code for easy access.
- 9. Here are six important components of a DevSecOps approach: • Code analysis – deliver code in small chunks so vulnerabilities can be identified quickly. • Change management – increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad. • Compliance monitoring – be ready for an audit at any time (which means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance, etc.). • Threat investigation – identify potential emerging threats with each code update and be able to respond quickly. • Vulnerability assessment – identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched. • Security training – train software and IT engineers with guidelines for set routines.
- 10. DevOps Security Best Practices Embrace a DevSecOps model:Embrace Enforce policy & governanceEnforce Automate your DevOps security processes and toolsAutomate Perform comprehensive discoveryPerform Conduct vulnerability managementConduct Adopt configuration managementAdopt Secure access with DevOps secrets managementSecure Control, monitor, and audit access with privileged access management Control, monitor, and audit Segment networksSegment
- 11. Integrate Security in CI/CD pipeline
- 12. Different aspects of DevSecOps security in the software lifecycle including tools • Static Code Analysis – Scans for vulnerabilities in the code after coding but before unit testing during development (e.g. SonarQube) • Configuration Management and Compliance – Know how your application is configured and whether it follows your policies (e.g., Ansible, Chef, Puppet) • Dynamic Code Analysis – Scan your code for vulnerabilities in how it performs. Execute unit tests to find errors (e.g., SonarLint, VeraCode) • Vulnerability Scanning – Automatically identify known issues in your application for penetration testing (e.g., Nessus) • Infrastructure as Code – Ensures the application is deployed securely and without errors in a repeatable manner (e.g., Ansible) • Continuous Monitoring – Information on how the application is running, collected and monitored to identify issues and feed future improvements. This is done in production environment. (e.g. Splunk, AppDynamics) • Container Security – monitor and protect containers (e.g., BlackDuck)
- 13. DevSecOps has three Pillars of Strength People • Trust • Collaboration • Transparency • Communicati on • Incentive and responsibility alignment • Governance Tools • Build • Test • Deploy • Monitor • Security • Logging Process • Continuous Integration • Continuous Testing • Continuous Delivery • Continuous Monitoring • Configuration Management
- 14. Security Champions in DevSecOps • Who are Security Champions? • Security Champions are "active members of a team that may help to make decisions about when to engage the Security Team". They act as a core element of security assurance process within the product or service, and hold the role of the Single Point of Contact (SPOC) within the team. • What benefits do Champions bring to my company? • Scaling security through multiple teams • Engaging "non-security" folks • Establishing the security culture
- 16. Threat Modeling DevSecOps threat modeling is an organizational culture that ensures security is a consideration from the beginning stages of development. Organizations can use DevSecOps to build more secure applications without causing a lot of friction in their build and deploy process
- 17. SAST & DAST Static application security testing (SAST) SAST is also known as “white-box testing”, meaning it tests the internal structures or workings of an application, as opposed to its functionality. It operates at the same level as the source code in order to detect vulnerabilities. Since the SAST analysis is conducted before code compilation, and without executing it, this tool can be applied early on in the software development lifecycle (SDLC). Most SAST tools support the major web languages: PHP, Java, and .Net, and some form of C, C++, or C#. Dynamic application security testing (DAST) DAST is a “black box testing” method, meaning it is performed from the outside in. The principle revolves around introducing faults to test code paths on an application. For instance, it can use threat data feeds to detect malicious activity. DAST doesn’t require source code or binaries since it analyzes by executing the application.
- 18. IAST and RASP Interactive application security testing (IAST) AST uses software instrumentation to assess how an application performs and detect vulnerabilities. IAST has an “agent-like” approach, meaning agents and sensors are run to continually analyze the application workings during automated testing, manual testing, or a mix of the two. The process and feedback are done in real time in your integrated development environment (IDE), continuous integration (CI) environment, or quality assurance, or while in production. The sensors have access to: the entire code; data-flow and control-flow; system configuration data; web components; and back-end connection data. Runtime application self-protection (RASP) RASP is capable of inspecting application behavior, as well as the surrounding context. It captures all requests to ensure they are secure and then handles request validation inside the application. RASP can raise an alarm in diagnostic mode and prevent an attack in protection mode, which is done by either stopping the execution of a certain operation or terminating the session.
- 19. Conclusion • DevSecOps needs to be a proactive customer centric approach rather than a reactive approach. • DevSecOps benefits include cost reduction, speed of delivery, speed of recovery, compliance at scale etc. • DevSecOps helps us detect and fix issues earlier in the development process thus reducing greatly the cost associated with identifying and fixing them.