SlideShare a Scribd company logo

Succeeding-Marriage-Cybersecurity-DevOps final

Download as PPTX, PDF
R
rkadayam

This document discusses succeeding in the marriage of cybersecurity and DevOps. It outlines five keys to a successful marriage: 1) establish a common process framework; 2) commit to collaboration; 3) design for security from inception; 4) strive to automate security processes; and 5) continuously learn and innovate. The document provides examples of how tools like Espial can help automate and integrate security testing into the development pipeline to enable continuous detection and faster remediation of vulnerabilities.

1 of 23
Download to read offline
Rajiv Kadayam © 2016 eGlobalTech. All rights reserved. Succeeding in the Marriage of Cybersecurity and DevOps
2 About Rajiv & eGT  Executive Technologist  Product Owner  Agile Manager/Coach  Solutions Architect  Sr. Director, Technology Strategy  Dad / Hubby • Established in 2004 • Agile Development & DevOps • Cloud Migration & Enablement • Cybersecurity & Information Assurance • eGT Labs – skunk works ! • 30+ federal agencies
Best of times…and Worst of times.. 3 Businesses need to deliver faster and be more responsive Align organizational units to rally behind one common goal Continuously assess, monitor, prevent, and counter security risks and issues Leverage technology, automation and agile practices to achieve all of the above • E-Commerce Transactions to pass $1.5 Trillion/year • Era of Digital & Connected Lives – mobile, cloud, wearables, social • B2B ecommerce predicted to hit $6.7T/year by 2020 • 47% of American adults had their personal information stolen by hackers • Cyber crime costs businesses $400+ Billion/year - McAfee, 2014
Stone Age IT 4 Development OperationsCybersecurity QA and TestingEnterprise Architecture  Messages lost in translation  Slow & unwieldy  Too much finger pointing  Ultimately business suffers and people too… Initiation & Planning Requirements Definition Design Development Testing Implementation Operations & Maintenance
Enter Agile Development Methodology 5 Automated Deployment Continuous Integration Automated Code Review Product / Release Backlog Sprint Backlog System Releases Continuous feedback loop Production Development Testing/Demo Test Driven Development Iterative Development & Testing  Scrum  Kanban  Lean  SAFe Initiation & Planning Requirements Definition Design Development Testing Implementation Operations & Maintenance Agile as a means to develop solutions faster, release frequently and incorporate feedback continuously
Gradual Agile Transformation 6 Development Operations Cybersecurity QA and Testing Enterprise Architecture Other Stakeholders More and more federal agencies are adopting agile Some agencies have adopted DevOps Very few agencies are truly performing blue- green deployments Need to break walls and build a tighter trust circle Agile Software Development & DevOps Agencies are plagued with security concerns – preventing DevOps transformation
DevOps + Cybersecurity  DevOpsSec  Yes, but what about Testing, Users, Requirements, EA ?  ReqEADevTestingSecOps ?  DevOps => More than just “Development” and “Operations”  Philosophy , Culture, Process, Automation, Tools & Continuous Learning  By Practitioners - For Practitioners 7
DevOps & Cybersecurity – Flipping Resistance  Results 8 Challenges • Organizational hierarchies • Lack of domain understanding • RMF, NIST Controls • Emerging / Open Source Tech • Different tools and processes • Different objectives – • DevOps: Deliver Faster vs Security: Protect Information Opportunities Secure Designs, Robust Solutions, Reduced $Costs$ Integrate and automate delivery pipeline – Accelerate time to Market Respond faster to business Enhanced Transparency, Visibility and Accountability
Keys to a Successful Marriage of DevOps & Cybersecurity 9
#1 – Come together - Establish Common Process Framework • Integrate and Align SDLC and RMF • Concurrently execute lifecycle phases • Peer review and validate work products • Reinforce security mindset in every step of the process. • Universal visibility, transparency, and accountability 10 NIST Risk Management Framework Software Development Lifecycle + Categorize Information System Select Security Controls Implement Security Controls Assess Security Controls Authorize Information System Monitor Security Controls Initiation & Planning Requirements Design Development Testing Implementation Operations & Maintenance
DevOps Factory 11 Machine enforced governance and compliance established by fully automated CI/CD process expressed in code
#2 – Be kind to your partner - Commit to Collaborate 12 DevOpsCybersecurity Target solution must properly address all required NIST security controls ! • Truly bring disparate teams together to work towards common goals and objectives • Learn, understand and appreciate each other’s concern • Instead of “No, not possible” – explore and provide alternate approaches • Leverage effective collaboration tools Here is how and what needs to be done to certify new technologies for secure acceptable use  Common Goals  Invested in Shared Success  Continuous Communication I want to adopt the latest and greatest open source technology Is this implementation approach secure and compliant ?
#3 – Build Trust Early - Design for Security From Inception 13 • Detect basic security issues early and prevent downstream friction • Include security issues (POAMS, etc) as part of the product backlog and prioritize collectively • Keep pace with new technology insertion and refreshes • Address security controls early in the architecture and design phase Develop System & Software Architecture and Design Test for compliance with required NIST controls
#4 – Simplify Life - Strive to Automate 14 Security Docs Security Testing, Monitoring & Compliance Automation & Orchestration • Aggressively exploit opportunities to automate security processes • Automate - • FISMA / FedRAMP documentation • Security Penetration/Vulnerability Testing • Security Compliance and Monitoring • Intrusion Detection & Data Breaches • Threat Management SaaS / PaaS / IaaS SDLC Activities
Security Policy and Compliance “as code” 15 • Replace opinionated human compliance checkers with machines – Compliant or Non-Compliant describe port(80) do it { should_not be_listening } end describe port(443) do it { should be_listening } its('protocol') {should eq 'tcp'} end • BDD-Security , Gauntlt – security test code expressed in plain English • Treat like any other code – source control, versions, peer review • Provides a time-machine view into security evolution • Produces valuable raw data for historical and trend analytics Short detour for a specific use case /demo…
Web Application Security Vulnerabilities Survey Results 16 86% of websites and web-apps contain at least one serious vulnerability Make vulnerability remediation process faster and easier Visibility, Accountability and Empowerment More secure software, NOT more security software
What is OWASP ? 17 Make software security visible, so that individuals and organizations are able to make informed decisions 100s of Projects.. OWASP Top 10 security flaws
Agile Development & OWASP Testing is Disconnected 18 Source Control Release Candidate Build Testing • Unit • Functional • Static Code Scan • Performance, etc Staging / Production Iterative / Agile Development Security Penetration Testing Backlog Multiple daily/weekly iterations Push security testing left of the process  Web App Penetration testing conducted very late in the process  Developers have limited visibility and less time to remediate issues  Security vulnerabilities leak through into production
Espial – Automate & Integrate Penetration Testing 19 Jenkins Source Control Automated Build Automated Testing • Unit • Functional, etc. • Espial Plugin Automated Deployment deploy execute tests & collect results Build Quality Report - Code Quality - Test Execution Results - Espial - Security Vulnerabilities - Metrics output orchestrate Vagrant Docker image Dev/Test Env Apps Prod Env Apps Apps A mechanism that automates and integrates security vulnerability tests as part of your existing Jenkins-based CI/CD process Continuous Detection  Faster Remediation
Espial Video 20 https://vimeo.com/170149154
Espial – Key Benefits 21 • Platform and programming language agnostic. • Any web-app • Out of the box integration with Jenkins • Developers have clear visibility of security vulnerabilities • Comprehensive – crawls all end-points automatically • Eliminates risk of vulnerabilities creeping in
#5 – Keep the spark alive - Continuously Learn & Innovate 22 • Evaluate emerging tools & technologies for adoption • Identify opportunities to innovate and evolve • Threat Management • Security Data Analytics • Interactive Application Security Testing • Promote industry and community relationships • Cultivate Labs – Ideas to Reality • Promote innovation • Experiment and Prototype • Productize • Rinse and Repeat
Questions ? Rajiv Kadayam Senior Director, Technology Strategy rajiv.kadayam@eglobaltech.com https://www.linkedin.com/in/rajivkadayam http://www.eglobaltech.com http://www.cloudamatic.com 23 Thank You ! Keep Innovating…

Recommended

Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
rkadayam
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
Qualitest
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Veracode
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Matt Tesauro
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
Tom Cappetta
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar
AlgoSec
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
SeniorStoryteller
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
WhiteSource
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer Maor
DevSecCon
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 

More Related Content

What's hot (20)

we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Veracode
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Matt Tesauro
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
Tom Cappetta
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar
AlgoSec
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
SeniorStoryteller
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
WhiteSource
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer Maor
DevSecCon
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Veracode
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Matt Tesauro
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
Tom Cappetta
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar2018 07-24 network security at the speed of dev ops - webinar
2018 07-24 network security at the speed of dev ops - webinar
AlgoSec
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
SeniorStoryteller
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
WhiteSource
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer Maor
DevSecCon
 

Similar to Succeeding-Marriage-Cybersecurity-DevOps final (20)

ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
Shannon Lietz
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
SecPod Technologies
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
centralohioissa
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
Christian Martorella
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
Dag Rowe
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
Shannon Lietz
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
SecPod Technologies
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
centralohioissa
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
Christian Martorella
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
Dag Rowe
 

Succeeding-Marriage-Cybersecurity-DevOps final

  • 1. Rajiv Kadayam © 2016 eGlobalTech. All rights reserved. Succeeding in the Marriage of Cybersecurity and DevOps
  • 2. 2 About Rajiv & eGT  Executive Technologist  Product Owner  Agile Manager/Coach  Solutions Architect  Sr. Director, Technology Strategy  Dad / Hubby • Established in 2004 • Agile Development & DevOps • Cloud Migration & Enablement • Cybersecurity & Information Assurance • eGT Labs – skunk works ! • 30+ federal agencies
  • 3. Best of times…and Worst of times.. 3 Businesses need to deliver faster and be more responsive Align organizational units to rally behind one common goal Continuously assess, monitor, prevent, and counter security risks and issues Leverage technology, automation and agile practices to achieve all of the above • E-Commerce Transactions to pass $1.5 Trillion/year • Era of Digital & Connected Lives – mobile, cloud, wearables, social • B2B ecommerce predicted to hit $6.7T/year by 2020 • 47% of American adults had their personal information stolen by hackers • Cyber crime costs businesses $400+ Billion/year - McAfee, 2014
  • 4. Stone Age IT 4 Development OperationsCybersecurity QA and TestingEnterprise Architecture  Messages lost in translation  Slow & unwieldy  Too much finger pointing  Ultimately business suffers and people too… Initiation & Planning Requirements Definition Design Development Testing Implementation Operations & Maintenance
  • 5. Enter Agile Development Methodology 5 Automated Deployment Continuous Integration Automated Code Review Product / Release Backlog Sprint Backlog System Releases Continuous feedback loop Production Development Testing/Demo Test Driven Development Iterative Development & Testing  Scrum  Kanban  Lean  SAFe Initiation & Planning Requirements Definition Design Development Testing Implementation Operations & Maintenance Agile as a means to develop solutions faster, release frequently and incorporate feedback continuously
  • 6. Gradual Agile Transformation 6 Development Operations Cybersecurity QA and Testing Enterprise Architecture Other Stakeholders More and more federal agencies are adopting agile Some agencies have adopted DevOps Very few agencies are truly performing blue- green deployments Need to break walls and build a tighter trust circle Agile Software Development & DevOps Agencies are plagued with security concerns – preventing DevOps transformation
  • 7. DevOps + Cybersecurity  DevOpsSec  Yes, but what about Testing, Users, Requirements, EA ?  ReqEADevTestingSecOps ?  DevOps => More than just “Development” and “Operations”  Philosophy , Culture, Process, Automation, Tools & Continuous Learning  By Practitioners - For Practitioners 7
  • 8. DevOps & Cybersecurity – Flipping Resistance  Results 8 Challenges • Organizational hierarchies • Lack of domain understanding • RMF, NIST Controls • Emerging / Open Source Tech • Different tools and processes • Different objectives – • DevOps: Deliver Faster vs Security: Protect Information Opportunities Secure Designs, Robust Solutions, Reduced $Costs$ Integrate and automate delivery pipeline – Accelerate time to Market Respond faster to business Enhanced Transparency, Visibility and Accountability
  • 9. Keys to a Successful Marriage of DevOps & Cybersecurity 9
  • 10. #1 – Come together - Establish Common Process Framework • Integrate and Align SDLC and RMF • Concurrently execute lifecycle phases • Peer review and validate work products • Reinforce security mindset in every step of the process. • Universal visibility, transparency, and accountability 10 NIST Risk Management Framework Software Development Lifecycle + Categorize Information System Select Security Controls Implement Security Controls Assess Security Controls Authorize Information System Monitor Security Controls Initiation & Planning Requirements Design Development Testing Implementation Operations & Maintenance
  • 11. DevOps Factory 11 Machine enforced governance and compliance established by fully automated CI/CD process expressed in code
  • 12. #2 – Be kind to your partner - Commit to Collaborate 12 DevOpsCybersecurity Target solution must properly address all required NIST security controls ! • Truly bring disparate teams together to work towards common goals and objectives • Learn, understand and appreciate each other’s concern • Instead of “No, not possible” – explore and provide alternate approaches • Leverage effective collaboration tools Here is how and what needs to be done to certify new technologies for secure acceptable use  Common Goals  Invested in Shared Success  Continuous Communication I want to adopt the latest and greatest open source technology Is this implementation approach secure and compliant ?
  • 13. #3 – Build Trust Early - Design for Security From Inception 13 • Detect basic security issues early and prevent downstream friction • Include security issues (POAMS, etc) as part of the product backlog and prioritize collectively • Keep pace with new technology insertion and refreshes • Address security controls early in the architecture and design phase Develop System & Software Architecture and Design Test for compliance with required NIST controls
  • 14. #4 – Simplify Life - Strive to Automate 14 Security Docs Security Testing, Monitoring & Compliance Automation & Orchestration • Aggressively exploit opportunities to automate security processes • Automate - • FISMA / FedRAMP documentation • Security Penetration/Vulnerability Testing • Security Compliance and Monitoring • Intrusion Detection & Data Breaches • Threat Management SaaS / PaaS / IaaS SDLC Activities
  • 15. Security Policy and Compliance “as code” 15 • Replace opinionated human compliance checkers with machines – Compliant or Non-Compliant describe port(80) do it { should_not be_listening } end describe port(443) do it { should be_listening } its('protocol') {should eq 'tcp'} end • BDD-Security , Gauntlt – security test code expressed in plain English • Treat like any other code – source control, versions, peer review • Provides a time-machine view into security evolution • Produces valuable raw data for historical and trend analytics Short detour for a specific use case /demo…
  • 16. Web Application Security Vulnerabilities Survey Results 16 86% of websites and web-apps contain at least one serious vulnerability Make vulnerability remediation process faster and easier Visibility, Accountability and Empowerment More secure software, NOT more security software
  • 17. What is OWASP ? 17 Make software security visible, so that individuals and organizations are able to make informed decisions 100s of Projects.. OWASP Top 10 security flaws
  • 18. Agile Development & OWASP Testing is Disconnected 18 Source Control Release Candidate Build Testing • Unit • Functional • Static Code Scan • Performance, etc Staging / Production Iterative / Agile Development Security Penetration Testing Backlog Multiple daily/weekly iterations Push security testing left of the process  Web App Penetration testing conducted very late in the process  Developers have limited visibility and less time to remediate issues  Security vulnerabilities leak through into production
  • 19. Espial – Automate & Integrate Penetration Testing 19 Jenkins Source Control Automated Build Automated Testing • Unit • Functional, etc. • Espial Plugin Automated Deployment deploy execute tests & collect results Build Quality Report - Code Quality - Test Execution Results - Espial - Security Vulnerabilities - Metrics output orchestrate Vagrant Docker image Dev/Test Env Apps Prod Env Apps Apps A mechanism that automates and integrates security vulnerability tests as part of your existing Jenkins-based CI/CD process Continuous Detection  Faster Remediation
  • 21. Espial – Key Benefits 21 • Platform and programming language agnostic. • Any web-app • Out of the box integration with Jenkins • Developers have clear visibility of security vulnerabilities • Comprehensive – crawls all end-points automatically • Eliminates risk of vulnerabilities creeping in
  • 22. #5 – Keep the spark alive - Continuously Learn & Innovate 22 • Evaluate emerging tools & technologies for adoption • Identify opportunities to innovate and evolve • Threat Management • Security Data Analytics • Interactive Application Security Testing • Promote industry and community relationships • Cultivate Labs – Ideas to Reality • Promote innovation • Experiment and Prototype • Productize • Rinse and Repeat
  • 23. Questions ? Rajiv Kadayam Senior Director, Technology Strategy [email protected] https://www.linkedin.com/in/rajivkadayam http://www.eglobaltech.com http://www.cloudamatic.com 23 Thank You ! Keep Innovating…