SlideShare a Scribd company logo

Devops security-An Insight into Secure-SDLC

Suman Sourav
Suman Sourav

The document discusses the integration of security within the DevOps process, emphasizing the importance of secure Software Development Life Cycle (SDLC) practices. It outlines various security measures such as threat modeling, secure code reviews, and continuous security testing, while addressing common challenges and the role of quality assurance in enhancing security. The author, an experienced software security professional, shares insights on security automation and metrics for effective DevOps security implementation.

Technology
1 of 33
Downloaded 162 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
DevOps Security-Part1 An insight into S-SDLC SUMAN SOURAV
Agenda  DevOps Security –Introduction  Software Security Toll Gates in DevOps  An inside story of continuous security testing implementation  Challenges
Disclaimer Not endorsing any tools
About me  Software Security Professional having 10+ years of experience  Specialize in Secure SDLC implementation Threat Modeling/Secure Code Review/Penetration Testing/DevOps Security Secure Coding Trainer, SecurityQA Testing Trainer, Speaker  What next for me ? IoT Security SmartCity Security
DevOps-Introduction Faster Release Cycle Shortened Delivery Time Unified Tools and Process Integration between different teams
Secure-SDLC Security Requirements • Requirements Threat Modeling • Design Secure Code Review • Development Vulnerability Scanning/PT • Deployment Monitoring • Operation Time to complete these activities ?
DevOps Security: Pre-Staging Source : Kaspersky Continuous Integration Security Automation Right Process, People, Tools Collaboration & Sharing Metrics and Data Analytics
Security Failures in DevOps Dev Risk
DEVELOPMENT BUILD AND DEPLOY STAGINGREQUIREMENTS External Repositorie s Common Components DESIGN Repository SCM Tools Security Test Automation Threat Modeling SCA Tools/IDE Plugins VS/PT/IASTComponents Monitoring Production Monitoring
Third Party Libraries- Security Report
Collaboration Product 1 Product 3 Product 2 Product 4 Product 5 Product 6 Product 7 Product 8 Product 9 Security Champions
Requirements Security Questionnaire Automated Score Calculation Provide guidance for component selection
Design
Threat Modeling (Demo) Automated Approach
Development
Source Code Management 1. Branching 2. Ownerships
Secure Code Review-IDE Plugins (Demo) Develop and Test Takes couple of mins to generate vulnerability report
Vulnerability Coverage • Detect most obvious vulnerabilities • Quickly Provide Security posture of the applications
Merging Reports • Keep eyes of new issues and fixed issues • Less time in false positive analysis
Build & Deployment
CI Tools Jenkins Hudsons TeamCity etc
CI Tools Integration Third Party libraries analysis Static Analysis Security Unit test Cases Dynamic Analysis
QA Role- in DevOps Security Security Review of Requirements & Design Documents Security Static Code Analysis Results Review Dynamic Security Analysis Penetration testing including Fuzz Testing Third Party Components Review QA Role
Security Unit Test Cases (Demo)
CI Integration-DAST Unit Test Cases Browsers Scanners Reports Reference: http://www.hindsightsoftware.com/blog/security- testing-with-selenium-and-the-zed-attack-proxy-zap
Static Analysis Integration Build Environment Fix Vulnerabilities Integrate With Build Upload to Server Execute Scan Generate report SA Developers Reporting Server Audit and Re-upload Login
Interactive Application Security Testing (IAST) Accuracy without false positive Testing is fast  Indifferent to the underlying framework.
Vulnerability Management & Hybrid Analysis Static Analysis Dynami c Analysis Security QA VA/PT/I AST Priority Fix
Security Metrics & Data Analytics 10 20 30 40 110 85 71 20 0 20 40 60 80 100 120 Release 1 Release 2 Release 3 Release 4 Training Index Bug Index
Bug Tracking System Keep track of issue remediation Workflow to Automate issues creation & assigning ownership Automated email alert to respective product owners
Limitations & Challenges All manual tests cant be automated Test automations are not sequenced
Stay Tuned…….. DevOps Security-Part 2 --An insight into Security Operation
Suman Sourav @SumanS0urav https://sg.linkedin.com/in/sumansourav

More Related Content

What's hot (20)

PPTX
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
PPTX
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
PPTX
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
PPT
Code Quality - Security
sedukull
 
PPTX
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
PPTX
How to Get Started with DevSecOps
CYBRIC
 
PDF
Why should developers care about container security?
Eric Smalling
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
PPTX
DevSecOps : an Introduction
Prashanth B. P.
 
PPTX
Secure Software Development Life Cycle
Maurice Dawson
 
PPTX
A journey from dev ops to devsecops
Veritis Group, Inc
 
PPTX
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
PPTX
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
PDF
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
PDF
Security Development Lifecycle Tools
n|u - The Open Security Community
 
PPTX
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
PPTX
Automating security tests for Continuous Integration
Stephen de Vries
 
PDF
DevSecOps | DevOps Sec
Rubal Jain
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
PDF
Proactive Security AppSec Case Study
Andy Hoernecke
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Code Quality - Security
sedukull
 
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
How to Get Started with DevSecOps
CYBRIC
 
Why should developers care about container security?
Eric Smalling
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
DevSecOps : an Introduction
Prashanth B. P.
 
Secure Software Development Life Cycle
Maurice Dawson
 
A journey from dev ops to devsecops
Veritis Group, Inc
 
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
Security Development Lifecycle Tools
n|u - The Open Security Community
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
Automating security tests for Continuous Integration
Stephen de Vries
 
DevSecOps | DevOps Sec
Rubal Jain
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
Proactive Security AppSec Case Study
Andy Hoernecke
 

Viewers also liked (10)

PDF
Happy New Year!
Checkmarx
 
PDF
Application Security Management with ThreadFix
Virtual Forge
 
PPTX
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
PDF
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
DevOpsDays Tel Aviv
 
PDF
Application Security Guide for Beginners
Checkmarx
 
PPTX
DevOps & Security: Here & Now
Checkmarx
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
PPTX
Graph Visualization - OWASP NYC Chapter
Checkmarx
 
PDF
[ITAS.VN]CxSuite Enterprise Edition
ITAS VIETNAM
 
PDF
DevSecOps in Baby Steps
Priyanka Aash
 
Happy New Year!
Checkmarx
 
Application Security Management with ThreadFix
Virtual Forge
 
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
DevOpsDays Tel Aviv
 
Application Security Guide for Beginners
Checkmarx
 
DevOps & Security: Here & Now
Checkmarx
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
Graph Visualization - OWASP NYC Chapter
Checkmarx
 
[ITAS.VN]CxSuite Enterprise Edition
ITAS VIETNAM
 
DevSecOps in Baby Steps
Priyanka Aash
 
Ad

Similar to Devops security-An Insight into Secure-SDLC (20)

PPTX
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
PPTX
Digital Product Security
SoftServe
 
PPTX
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
PPTX
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
PPTX
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
PPTX
DevOps
Jeremiah Tillman
 
PDF
DevSecOps
Spv Reddy
 
PPTX
Agile software security assurance
Ollie Whitehouse
 
PDF
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat
 
PPTX
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
PDF
Pragmatic Pipeline Security
James Wickett
 
PPTX
DevSecOps Story with added security controls
HareeshNani5
 
PDF
DevSecOps - Background, Status and Future Challenges
dsc71656
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
PPTX
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
PDF
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Raphael Denipotti
 
PPTX
Shift Left continous Testing.pptx
rajeevrocks
 
PDF
From Development to Deployment- Embedding Security Testing in Every QA Stage.pdf
madhusudhanarao52
 
PDF
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
PPT
3830100.ppt
azida3
 
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Digital Product Security
SoftServe
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
DevOps
Jeremiah Tillman
 
DevSecOps
Spv Reddy
 
Agile software security assurance
Ollie Whitehouse
 
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
Pragmatic Pipeline Security
James Wickett
 
DevSecOps Story with added security controls
HareeshNani5
 
DevSecOps - Background, Status and Future Challenges
dsc71656
 
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Raphael Denipotti
 
Shift Left continous Testing.pptx
rajeevrocks
 
From Development to Deployment- Embedding Security Testing in Every QA Stage.pdf
madhusudhanarao52
 
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
3830100.ppt
azida3
 
Ad

Recently uploaded (20)

PPTX
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
DOCX
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PPTX
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
PDF
July Patch Tuesday
Ivanti
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
DOCX
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PDF
Staying Human in a Machine- Accelerated World
Catalin Jora
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
Biography of Daniel Podor.pdf
Daniel Podor
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
July Patch Tuesday
Ivanti
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Staying Human in a Machine- Accelerated World
Catalin Jora
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
Biography of Daniel Podor.pdf
Daniel Podor
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 

Devops security-An Insight into Secure-SDLC