The State of DevSecOps
3 likes2,161 views
The document discusses the rise of DevSecOps and its importance for software development. It notes that existing security solutions are no longer adequate due to the speed of modern development, and that security has become a bottleneck. DevSecOps aims to integrate security practices into development workflows to enable continuous and real-time security. It outlines how security responsibilities have evolved from separate teams to being shared among developers, and how tools have progressed from periodic testing to continuous monitoring and automation. The document argues that DevSecOps is necessary now given the costs of data breaches and risks of vulnerabilities in open source components.
The State of DevSecOps
- 1. The State of DevSecOps
- 2. About me Stefan Streichsbier @s_streichsbier GuardRails.io Move fast, be safe.
- 3. What do these companies have in common? <10 years
- 4. Tech Startups in Asia – #10YearChallenge 2009 vs 2019
- 5. How is that possible?
- 6. 1. Existing solutions are no longer adequate Provide A Terrible User Experience Enterprise Solutions Come From The Waterfall Era Enterprise Means Overpriced
- 7. 2. SaaS enable wide-spread distribution Your Users Are EverywhereNo Need To Go To A Physical Location No Need to Create WW Sales Teams
- 8. 3. Cheaper to create & operate Software Startup Ecosystems Empower Entrepreneurs Open Source Software Provides Building Blocks Cloud Computing Provides Low Barrier of Entry
- 9. To summarize The existing solutions are ripe for replacement Creating new technology solutions was never faster Software can be Distributed globally
- 10. DevSecOps: How important is it really? • Agile took us from months to days to deliver software • DevOps took us from months to minutes to deploy software • More applications are mission critical • Now security has become the bottleneck
- 11. The real impact of hacks & breaches News is full of high-profile breaches that get widespread attention. But they are not the only target of hackers 43% of all cyber attacks target small businesses. 60% of small businesses that are Hacked go out of business within 6 months. 1/5 data breaches are the result of attackers abusing insecure web applications.
- 13. The Evolution of Security Tools Secure SDLCPenetration Testing DevSecOps Duration 2-4 weeks 1-2 weeks Continuous and Real-time Tools • Port Scanners • Vulnerability Scanners • Exploitation Tools Audience • Security Professionals Tools • Code Security Scanners • Dynamic Security Scanners • Vulnerability Scanners Audience • Security Professionals in Enterprise Security Teams Tools • Code Security Scanners • Interactive Security Scanners • Runtime Application Self Protection Audience • Developers in Product Teams
- 14. Security Development Operations The Evolution of Security Teams Secure SDLCPenetration Testing DevSecOps Security Development Operations Security Development Operations “Department of NO” “Let’s work together” “How can we help you succeed?”
- 15. Modern security teams empower dev teams! 100 10 1 Dev Ops Sec: : : : Looks like we have a scale problem
- 17. - John Willis You build it, you secure it.
- 18. Mindset within your product teams • Have Shared Pain and Shared Goals • Clearly defined global delivery goals (no competing KPIs) • Measure outcome (customer value), not output • Be Autonomous • Maximize flow (minimize cycle times) • Implement fast automated test suites • Never pass defects downstream • Create quality at the source (provide knowledge where needed) • Full decision authority • Full Accountability • Good or bad - you own it. There is no one else to blame
- 20. Understanding benefits of security controls Create Test Monitor Challenges • Changing human behavior • Difficult to enforce • People churn Benefits • Reduce new vulnerabilities Challenges • Vulnerability Noise • Fixing issues • Coverage of issues Benefits • Enforceable • Provide Metrics Challenges • Coverage of issues • Org wide rollout Benefits • Enforceable • Provide Metrics • Block attacks Security
- 21. DevSecOps - Monitor Are your applications currently under attack? Are we automatically defending against this attack? What are attackers going after? • Micro Segmentation • Runtime Application Self Protection (RASP) • Bug Bounties Questions you should be able to answerAvailable Technologies
- 22. DevSecOps - Test Do the latest changes introduce new security issues? Does our code contain hard- coded secrets? Do any of our 3rd party libraries have known security issues? Questions you should be able to answer • Static Application Security Testing (SAST) • Sensitive Information Scanners (SIS) • Software Composition Analysis (SCA/CCA) • Dynamic Security Scanning (DAST) • Interactive Application Security Testing (IAST) Available Technologies
- 23. Automated Security Testing SAST SCA DAST/IASTCCA CommercialOpenSource 60+
- 24. Where do these tools live? Source: https://twitter.com/djschleen
- 25. DevSecOps - Create Do your teams know the most common successful attacks? Who is the dedicated security contact in a team? Do your teams know how to detect and avoid them? Questions you should be able to answer • Security Awareness • Secure Coding Training • Shared Knowledge Base • Security Focused Hackathons • Security Champion Program Available Options
- 26. DevSecOps Do we really need it now? There are some compelling statistics • It’s 30 times cheaper to fix security defects in development vs production • 80% to 90% of modern applications consist of open source components • An average data breach costs 5M+ USD • Most of the DevOps high-performers include security in their delivery process Security as Competitive Advantage
- 27. State of DevSecOps - Conclusion Security TeamTechnologies Product Team • Tools have improved • Choose them wisely • Solve technology problems • Cover the whole portfolio • Start acting on data in prod • Department of YES • Empowering product teams • Use scarce resources wisely • Knowledge is power • Turn developers into security champs • Be mindful that change is slow • Build it, run it, secure it
- 28. Thank you
- 29. Get a curated list of security resources Consisting of: • Awesome security lists • Developer trainings • List of great security tools • Security Page templates • Free digital copy of my book • the slides • … and more Then send an email to: [email protected]