Dev{sec}ops
Download as PPTX, PDF•1 like•286 views
The document discusses the integration of security in devops practices, emphasizing the importance of automation in security scanning and proactive measures for secure software development. It highlights strategies for detecting and addressing vulnerabilities early in the software development lifecycle, as well as the role of constant feedback and collaboration between development and security teams. Various tools and methodologies are provided for automating compliance monitoring, threat assessment, and source code scanning.
Dev{sec}ops
- 1. Dev{Sec}Ops AUTOMATION CAN BE SECURITY FRIENDLY
- 2. The Talk Dev{Sec}Ops - Automation can be Security Friendly Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
- 3. Dev – Ops Culture DevOps DevSecOps SecDevOps DevSecAuditOps Security Team’s Problems That security guy
- 4. Shift Left …? How about “Extend Left and Right”?
- 5. Steven Carlson Software Engineer who is passionate about clean secure code. https://rockrunner007.github.io/ The guy on the far right… people do odd things when they ride a bicycle for 7 straight days… #RAGBRAI2019
- 6. The Stage HIGHLY REGULATED INDUSTRY OR NOT?!
- 7. Choose Policy and/or Goal GDPR SOC 1 | 2 | 3 PCI NIST
- 8. COVID-19 Reliable Easy to use Secure Feature Rich Efficient
- 9. The Policy A Secure Software Development Life Cycle Policy or SDL This process requires that an applications be designed, developed, and maintained to protect the integrity of all application functions as well as sensitive data collected in association with the application.
- 10. Secure Phase Guidance Find it early. Fix it early. Implement a proactive approach to discover and mitigate security issues in the early stages of SDL thereby significantly reducing the cost of fixing the post-production vulnerabilities. Avoid replicating vulnerabilities Vulnerabilities get copied and replicated across the code base, it magnifies risk in individual projects and possibly across multiple projects. Then it becomes a big development effort to clean up those vulnerabilities. Learn from constant feedback Constant feedback and successful collaboration between developers and security team will reduce the risk factor throughout SDL.
- 11. The Program SCANNING + PRODUCT REVIEW + ACCESS MANAGEMENT = SDL
- 12. General Guidance Code analysis Embed automatic software vulnerabilities detection tools such as Checkmarx into your DevOps pipelines. Change management Increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad. Compliance monitoring Automate compliance and be ready for an audit at any time (which means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance, etc.). Threat investigation Identify potential emerging threats with each code update and be able to respond quickly. Vulnerability assessment Identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched. Security training Train software and IT engineers with guidelines for set routines.
- 13. Threat Modeling What are we building? What can go wrong? What are we going do about it? How well are we doing?
- 15. Source Code Scanning Reviewing the source for a product Password Search Bad patterns Known framework issues
- 17. Open Source Scanning Security Risk due to known vulnerabilities with packages or package dependencies License Compliance checking for known license and comparing to company policy
- 19. Secrets Management Passwords API Keys Hashing Salt + Vector + Work Factor SSL Cert
- 21. Deployed Application Scanning Crawl a deployed application Use an authenticated user Scheduled scans
- 22. Rapid 7 Insight Appsec Resource: https://www.rapid7.com/products/insightapp sec/ Example: https://github.com/RockRunner007/DAST_Au tomation
- 23. Product Score Card Measure product security stance Measure development readiness Communicate leadership and SDL expectation
- 24. Product Review Program Resource: Q2 DevSecOps Team Example: https://github.com/RockRunner007/Security- Programs
- 25. Security Champion Enable engineers to leverage the SDL Point person for application security questions Partnership on scanning configuration Partnership on product development
- 26. Security Champion Playbook Resource: https://github.com/c0rdis/security- champions-playbook Example: https://github.com/RockRunner007/Security- Programs
- 27. The Opera OPERATION … SEE WHAT I DID THERE?!
- 28. All Together Now
- 29. Dashboard Data from security program Break it down per product Results from before SDL and now
- 30. Exam | Audit Time History of all scan per product Policies each scan is configured with Listing of user’s access and permissions Track of remediation
- 32. Shift Left …? How about “Extend Left and Right”?
- 33. Easy as 1 2 3 …?
- 35. Steven Carlson Software Engineer who is passionate about clean secure code. https://rockrunner007.github.io/ The guy on the far right… people do odd things when they ride a bicycle for 7 straight days… #RAGBRAI2019